def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Meterpreter',
'Author': ['@harmj0y'],
'Description':
("Starts a 'foreign' http[s] Meterpreter listener."),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'meterpreter'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'BackdoorLnkMacro',
'Author': ['@G0ldenGunSec'],
'Description': 'Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in '
'turn attempt to download & execute an empire launcher when the user clicks on them. '
'Usage: Three files will be spawned from this, an xls document (either new or containing '
'existing contents) that data will be placed into, a macro that should be placed in the '
'spawned xls document, and an xml that should be placed on a web server accessible by the '
'remote system (as defined during stager generation). By default this xml is written to '
'/var/www/html, which is the webroot on debian-based systems such as kali.',
'Comments': ['Two-stage macro attack vector used for bypassing tools that perform monitor parent '
'processes and flag / block process launches from unexpected programs, such as office. The '
'initial run of the macro is vbscript and spawns no child processes, instead it backdoors '
'targeted shortcuts on the users desktop to do a direct run of powershell next time they are '
'clicked. The second step occurs when the user clicks on the shortcut, the powershell '
'download stub that runs will attempt to download & execute an empire launcher from an xml '
'file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to '
'@harmJ0y and @enigma0x3 for designing the macro stager that this was originally based on, '
'@subTee for research pertaining to the xml.xmldocument cradle, and @curi0usJack for info on '
'using cell embeds to evade AV.']
}
# random name our xml will default to in stager options
xmlVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(5, 9)))
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener': {
'Description': 'Listener to generate stager for.',
'Required': True,
'Value': '',
},
'Obfuscate': {
'Description': 'Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for '
'obfuscation types. For powershell only.',
'Required': False,
'Value': 'False',
'SuggestedValues': ['True', 'False'],
'Strict': True
},
'ObfuscateCommand': {
'Description': 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For '
'powershell only.',
'Required': False,
'Value': r'Token\All\1'
},
'Language': {
'Description': 'Language of the launcher to generate.',
'Required': True,
'Value': 'powershell'
},
'TargetEXEs': {
'Description': 'Will backdoor .lnk files pointing to selected executables (do not include .exe '
'extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,'
'chrome',
'Required': True,
'Value': 'iexplore,firefox,chrome'
},
'XmlUrl': {
'Description': 'remotely-accessible URL to access the XML containing launcher code. Please try and '
'keep this URL short, as it must fit in the given 1024 chars for args along with all '
'other logic - default options typically allow for 100-200 chars of extra space, '
'depending on targeted exe',
'Required': True,
'Value': "http://" + helpers.lhost() + "/" + xmlVar + ".xml"
},
'XlsOutFile': {
'Description': 'XLS (incompatible with xlsx/xlsm) file to output stager payload to. If document does '
'not exist / cannot be found a new file will be created',
'Required': True,
'Value': '/tmp/default.xls'
},
'OutFile': {
'Description': 'Filename that should be used for the generated output, otherwise returned as a string.',
'Required': False,
'Value': 'macro'
},
'XmlOutFile': {
'Description': 'Local path + file to output xml to.',
'Required': True,
'Value': '/var/www/html/' + xmlVar + '.xml'
},
'KillDate': {
'Description': 'Date after which the initial powershell stub will no longer attempt to download and '
'execute code, set this for the end of your campaign / engagement. Format mm/dd/yyyy',
'Required': True,
'Value': datetime.datetime.now().strftime("%m/%d/%Y")
},
'UserAgent': {
'Description': 'User-agent string to use for the staging request (default, none, or other) (2nd stage).',
'Required': False,
'Value': 'default'
},
'Proxy': {
'Description': 'Proxy to use for request (default, none, or other) (2nd stage).',
'Required': False,
'Value': 'default'
},
'StagerRetries': {
'Description': 'Times for the stager to retry connecting (2nd stage).',
'Required': False,
'Value': '0'
},
'ProxyCreds': {
'Description': 'Proxy credentials ([domain\]username:password) to use for request (default, none, '
'or other) (2nd stage).',
'Required': False,
'Value': 'default'
},
'Bypasses': {
'Description': 'Bypasses as a space separated list to be prepended to the launcher',
'Required': False,
'Value': 'mattifestation etw'
},
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'HTTP[S]',
'Author': ['@harmj0y'],
'Description': ("Starts a 'foreign' http[s] Empire listener."),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'http_foreign'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'SlackURL': {
'Description':
'Your Slack Incoming Webhook URL to communicate with your Slack instance.',
'Required': False,
'Value': ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
data_util.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'HTTP[S] COM',
'Author': ['@harmj0y'],
'Description':
('Starts a http[s] listener (PowerShell only) that uses a GET/POST approach '
'using a hidden Internet Explorer COM object. If using HTTPS, valid certificate required.'
),
'Category': ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'http_com'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 5
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'RequestHeader': {
'Description':
'Cannot use Cookie header, choose a different HTTP request header for comms.',
'Required': True,
'Value': 'CF-RAY'
},
'Headers': {
'Description': 'Headers for the control server.',
'Required': True,
'Value': 'Server:Microsoft-IIS/7.5'
},
'SlackURL': {
'Description':
'Your Slack Incoming Webhook URL to communicate with your Slack instance.',
'Required': False,
'Value': ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
data_util.get_config('staging_key')[0])
# randomize the length of the default_response and index_page headers to evade signature based scans
self.header_offset = random.randint(0, 64)
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'Template',
'Author': ['@harmj0y'],
'Description': ("Listener template"),
# categories - client_server, peer_to_peer, broadcast, third_party
'Category' : ('client_server'),
'Comments': []
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name' : {
'Description' : 'Name for the listener.',
'Required' : True,
'Value' : 'http'
},
'Host' : {
'Description' : 'Hostname/IP for staging.',
'Required' : True,
'Value' : "http://%s" % (helpers.lhost())
},
'BindIP' : {
'Description' : 'The IP to bind to on the control server.',
'Required' : True,
'Value' : '0.0.0.0'
},
'Port' : {
'Description' : 'Port for the listener.',
'Required' : True,
'Value' : ''
},
'Launcher' : {
'Description' : 'Launcher string.',
'Required' : True,
'Value' : 'powershell -noP -sta -w 1 -enc '
},
'StagingKey' : {
'Description' : 'Staging key for initial agent negotiation.',
'Required' : True,
'Value' : '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay' : {
'Description' : 'Agent delay/reach back interval (in seconds).',
'Required' : True,
'Value' : 5
},
'DefaultJitter' : {
'Description' : 'Jitter in agent reachback interval (0.0-1.0).',
'Required' : True,
'Value' : 0.0
},
'DefaultLostLimit' : {
'Description' : 'Number of missed checkins before exiting',
'Required' : True,
'Value' : 60
},
'DefaultProfile' : {
'Description' : 'Default communication profile for the agent.',
'Required' : True,
'Value' : "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath' : {
'Description' : 'Certificate path for https listeners.',
'Required' : False,
'Value' : ''
},
'KillDate' : {
'Description' : 'Date for the listener to exit (MM/dd/yyyy).',
'Required' : False,
'Value' : ''
},
'WorkingHours' : {
'Description' : 'Hours for the agent to operate (09:00-17:00).',
'Required' : False,
'Value' : ''
},
'ServerVersion' : {
'Description' : 'Server header for the control server.',
'Required' : True,
'Value' : 'Microsoft-IIS/7.5'
},
'StagerURI' : {
'Description' : 'URI for the stager. Example: stager.php',
'Required' : False,
'Value' : ''
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'SlackURL' : {
'Description' : 'Your Slack Incoming Webhook URL to communicate with your Slack instance.',
'Required' : False,
'Value' : ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {} # used to keep track of any threaded instances of this server
# optional/specific for this module
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(data_util.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
"Name":
"BackdoorLnkMacro",
"Author": ["@G0ldenGunSec"],
"Description":
"Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in "
"turn attempt to download & execute an empire launcher when the user clicks on them. "
"Usage: Three files will be spawned from this, an xls document (either new or containing "
"existing contents) that data will be placed into, a macro that should be placed in the "
"spawned xls document, and an xml that should be placed on a web server accessible by the "
"remote system (as defined during stager generation). By default this xml is written to "
"/var/www/html, which is the webroot on debian-based systems such as kali.",
"Comments": [
"Two-stage macro attack vector used for bypassing tools that perform monitor parent "
"processes and flag / block process launches from unexpected programs, such as office. The "
"initial run of the macro is vbscript and spawns no child processes, instead it backdoors "
"targeted shortcuts on the users desktop to do a direct run of powershell next time they are "
"clicked. The second step occurs when the user clicks on the shortcut, the powershell "
"download stub that runs will attempt to download & execute an empire launcher from an xml "
"file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to "
"@harmJ0y and @enigma0x3 for designing the macro stager that this was originally based on, "
"@subTee for research pertaining to the xml.xmldocument cradle, and @curi0usJack for info on "
"using cell embeds to evade AV."
],
}
# random name our xml will default to in stager options
xmlVar = "".join(
random.sample(string.ascii_uppercase + string.ascii_lowercase,
random.randint(5, 9)))
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
"Listener": {
"Description": "Listener to generate stager for.",
"Required": True,
"Value": "",
},
"Obfuscate": {
"Description":
"Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for "
"obfuscation types. For powershell only.",
"Required":
False,
"Value":
"False",
"SuggestedValues": ["True", "False"],
"Strict":
True,
},
"ObfuscateCommand": {
"Description":
"The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For "
"powershell only.",
"Required":
False,
"Value":
r"Token\All\1",
},
"Language": {
"Description": "Language of the launcher to generate.",
"Required": True,
"Value": "powershell",
},
"TargetEXEs": {
"Description":
"Will backdoor .lnk files pointing to selected executables (do not include .exe "
"extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,"
"chrome",
"Required":
True,
"Value":
"iexplore,firefox,chrome",
},
"XmlUrl": {
"Description":
"remotely-accessible URL to access the XML containing launcher code. Please try and "
"keep this URL short, as it must fit in the given 1024 chars for args along with all "
"other logic - default options typically allow for 100-200 chars of extra space, "
"depending on targeted exe",
"Required":
True,
"Value":
"http://" + helpers.lhost() + "/" + xmlVar + ".xml",
},
"XlsOutFile": {
"Description":
"XLS (incompatible with xlsx/xlsm) file to output stager payload to. If document does "
"not exist / cannot be found a new file will be created",
"Required":
True,
"Value":
"/tmp/default.xls",
},
"OutFile": {
"Description":
"Filename that should be used for the generated output, otherwise returned as a string.",
"Required": False,
"Value": "macro",
},
"XmlOutFile": {
"Description": "Local path + file to output xml to.",
"Required": True,
"Value": "/var/www/html/" + xmlVar + ".xml",
},
"KillDate": {
"Description":
"Date after which the initial powershell stub will no longer attempt to download and "
"execute code, set this for the end of your campaign / engagement. Format mm/dd/yyyy",
"Required":
True,
"Value":
datetime.datetime.now().strftime("%m/%d/%Y"),
},
"UserAgent": {
"Description":
"User-agent string to use for the staging request (default, none, or other) (2nd stage).",
"Required": False,
"Value": "default",
},
"Proxy": {
"Description":
"Proxy to use for request (default, none, or other) (2nd stage).",
"Required": False,
"Value": "default",
},
"StagerRetries": {
"Description":
"Times for the stager to retry connecting (2nd stage).",
"Required": False,
"Value": "0",
},
"ProxyCreds": {
"Description":
"Proxy credentials ([domain\]username:password) to use for request (default, none, "
"or other) (2nd stage).",
"Required":
False,
"Value":
"default",
},
"Bypasses": {
"Description":
"Bypasses as a space separated list to be prepended to the launcher",
"Required": False,
"Value": "mattifestation etw",
},
}
# save off a copy of the mainMenu object to access external functionality
# like listeners/agent handlers/etc.
self.mainMenu = mainMenu
for param in params:
# parameter format is [Name, Value]
option, value = param
if option in self.options:
self.options[option]["Value"] = value
def __init__(self, mainMenu, params=[]):
self.info = {
'Name':
'HTTP[S] + MAPI',
'Author': ['@harmj0y', '@_staaldraad'],
'Description':
('Starts a http[s] listener (PowerShell) which can be used with Liniaal for C2 through Exchange'
),
'Category': ('client_server'),
'Comments': [
'This requires the Liniaal agent to translate messages from MAPI to HTTP. More info: https://github.com/sensepost/liniaal'
]
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
'Name': {
'Description': 'Name for the listener.',
'Required': True,
'Value': 'mapi'
},
'Host': {
'Description': 'Hostname/IP for staging.',
'Required': True,
'Value': "http://%s" % (helpers.lhost())
},
'BindIP': {
'Description': 'The IP to bind to on the control server.',
'Required': True,
'Value': '0.0.0.0'
},
'Port': {
'Description': 'Port for the listener.',
'Required': True,
'Value': ''
},
'Launcher': {
'Description': 'Launcher string.',
'Required': True,
'Value': 'powershell -noP -sta -w 1 -enc '
},
'StagingKey': {
'Description': 'Staging key for initial agent negotiation.',
'Required': True,
'Value': '2c103f2c4ed1e59c0b4e2e01821770fa'
},
'DefaultDelay': {
'Description': 'Agent delay/reach back interval (in seconds).',
'Required': True,
'Value': 0
},
'DefaultJitter': {
'Description': 'Jitter in agent reachback interval (0.0-1.0).',
'Required': True,
'Value': 0.0
},
'DefaultLostLimit': {
'Description': 'Number of missed checkins before exiting',
'Required': True,
'Value': 60
},
'DefaultProfile': {
'Description':
'Default communication profile for the agent.',
'Required':
True,
'Value':
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
},
'CertPath': {
'Description': 'Certificate path for https listeners.',
'Required': False,
'Value': ''
},
'KillDate': {
'Description': 'Date for the listener to exit (MM/dd/yyyy).',
'Required': False,
'Value': ''
},
'WorkingHours': {
'Description': 'Hours for the agent to operate (09:00-17:00).',
'Required': False,
'Value': ''
},
'Headers': {
'Description': 'Headers for the control server.',
'Required': True,
'Value': 'Server:Microsoft-IIS/7.5'
},
'Folder': {
'Description': 'The hidden folder in Exchange to user',
'Required': True,
'Value': 'Liniaal'
},
'Email': {
'Description': 'The email address of our target',
'Required': False,
'Value': ''
},
'SlackURL': {
'Description':
'Your Slack Incoming Webhook URL to communicate with your Slack instance.',
'Required': False,
'Value': ''
}
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip('/') for a in self.options['DefaultProfile']
['Value'].split('|')[0].split(',')
]
# set the default staging key to the controller db default
self.options['StagingKey']['Value'] = str(
data_util.get_config('staging_key')[0])
def __init__(self, mainMenu, params=[]):
self.info = {
"Name": "HTTP[S]",
"Author": ["@harmj0y"],
"Description": ("Starts a 'foreign' http[s] Empire listener."),
"Category": ("client_server"),
"Comments": [],
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
"Name": {
"Description": "Name for the listener.",
"Required": True,
"Value": "http_foreign",
},
"Host": {
"Description": "Hostname/IP for staging.",
"Required": True,
"Value": "http://%s" % (helpers.lhost()),
},
"Port": {
"Description": "Port for the listener.",
"Required": True,
"Value": "",
},
"Launcher": {
"Description": "Launcher string.",
"Required": True,
"Value": "powershell -noP -sta -w 1 -enc ",
},
"StagingKey": {
"Description": "Staging key for initial agent negotiation.",
"Required": True,
"Value": "2c103f2c4ed1e59c0b4e2e01821770fa",
},
"DefaultDelay": {
"Description": "Agent delay/reach back interval (in seconds).",
"Required": True,
"Value": 5,
},
"DefaultJitter": {
"Description": "Jitter in agent reachback interval (0.0-1.0).",
"Required": True,
"Value": 0.0,
},
"DefaultLostLimit": {
"Description": "Number of missed checkins before exiting",
"Required": True,
"Value": 60,
},
"DefaultProfile": {
"Description":
"Default communication profile for the agent.",
"Required":
True,
"Value":
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
},
"KillDate": {
"Description": "Date for the listener to exit (MM/dd/yyyy).",
"Required": False,
"Value": "",
},
"WorkingHours": {
"Description": "Hours for the agent to operate (09:00-17:00).",
"Required": False,
"Value": "",
},
"SlackURL": {
"Description":
"Your Slack Incoming Webhook URL to communicate with your Slack instance.",
"Required": False,
"Value": "",
},
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip("/") for a in self.options["DefaultProfile"]
["Value"].split("|")[0].split(",")
]
# set the default staging key to the controller db default
self.options["StagingKey"]["Value"] = str(
data_util.get_config("staging_key")[0])
def __init__(self, mainMenu, params=[]):
self.info = {
"Name": "HTTP[S] COM",
"Author": ["@harmj0y"],
"Description": (
"Starts a http[s] listener (PowerShell only) that uses a GET/POST approach "
"using a hidden Internet Explorer COM object. If using HTTPS, valid certificate required."
),
"Category": ("client_server"),
"Comments": [],
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
"Name": {
"Description": "Name for the listener.",
"Required": True,
"Value": "http_com",
},
"Host": {
"Description": "Hostname/IP for staging.",
"Required": True,
"Value": "http://%s" % (helpers.lhost()),
},
"BindIP": {
"Description": "The IP to bind to on the control server.",
"Required": True,
"Value": "0.0.0.0",
},
"Port": {
"Description": "Port for the listener.",
"Required": True,
"Value": "",
},
"Launcher": {
"Description": "Launcher string.",
"Required": True,
"Value": "powershell -noP -sta -w 1 -enc ",
},
"StagingKey": {
"Description": "Staging key for initial agent negotiation.",
"Required": True,
"Value": "2c103f2c4ed1e59c0b4e2e01821770fa",
},
"DefaultDelay": {
"Description": "Agent delay/reach back interval (in seconds).",
"Required": True,
"Value": 5,
},
"DefaultJitter": {
"Description": "Jitter in agent reachback interval (0.0-1.0).",
"Required": True,
"Value": 0.0,
},
"DefaultLostLimit": {
"Description": "Number of missed checkins before exiting",
"Required": True,
"Value": 60,
},
"DefaultProfile": {
"Description": "Default communication profile for the agent.",
"Required": True,
"Value": "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
},
"CertPath": {
"Description": "Certificate path for https listeners.",
"Required": False,
"Value": "",
},
"KillDate": {
"Description": "Date for the listener to exit (MM/dd/yyyy).",
"Required": False,
"Value": "",
},
"WorkingHours": {
"Description": "Hours for the agent to operate (09:00-17:00).",
"Required": False,
"Value": "",
},
"RequestHeader": {
"Description": "Cannot use Cookie header, choose a different HTTP request header for comms.",
"Required": True,
"Value": "CF-RAY",
},
"Headers": {
"Description": "Headers for the control server.",
"Required": True,
"Value": "Server:Microsoft-IIS/7.5",
},
"SlackURL": {
"Description": "Your Slack Incoming Webhook URL to communicate with your Slack instance.",
"Required": False,
"Value": "",
},
}
# required:
self.mainMenu = mainMenu
self.threads = {}
# optional/specific for this module
self.app = None
self.uris = [
a.strip("/")
for a in self.options["DefaultProfile"]["Value"].split("|")[0].split(",")
]
# set the default staging key to the controller db default
self.options["StagingKey"]["Value"] = str(
data_util.get_config("staging_key")[0]
)
# randomize the length of the default_response and index_page headers to evade signature based scans
self.header_offset = random.randint(0, 64)
def __init__(self, mainMenu, params=[]):
self.info = {
"Name": "Template",
"Author": ["@harmj0y"],
"Description": ("Listener template"),
# categories - client_server, peer_to_peer, broadcast, third_party
"Category": ("client_server"),
"Comments": [],
}
# any options needed by the stager, settable during runtime
self.options = {
# format:
# value_name : {description, required, default_value}
"Name": {
"Description": "Name for the listener.",
"Required": True,
"Value": "http",
},
"Host": {
"Description": "Hostname/IP for staging.",
"Required": True,
"Value": "http://%s" % (helpers.lhost()),
},
"BindIP": {
"Description": "The IP to bind to on the control server.",
"Required": True,
"Value": "0.0.0.0",
},
"Port": {
"Description": "Port for the listener.",
"Required": True,
"Value": "",
},
"Launcher": {
"Description": "Launcher string.",
"Required": True,
"Value": "powershell -noP -sta -w 1 -enc ",
},
"StagingKey": {
"Description": "Staging key for initial agent negotiation.",
"Required": True,
"Value": "2c103f2c4ed1e59c0b4e2e01821770fa",
},
"DefaultDelay": {
"Description": "Agent delay/reach back interval (in seconds).",
"Required": True,
"Value": 5,
},
"DefaultJitter": {
"Description": "Jitter in agent reachback interval (0.0-1.0).",
"Required": True,
"Value": 0.0,
},
"DefaultLostLimit": {
"Description": "Number of missed checkins before exiting",
"Required": True,
"Value": 60,
},
"DefaultProfile": {
"Description":
"Default communication profile for the agent.",
"Required":
True,
"Value":
"/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
},
"CertPath": {
"Description": "Certificate path for https listeners.",
"Required": False,
"Value": "",
},
"KillDate": {
"Description": "Date for the listener to exit (MM/dd/yyyy).",
"Required": False,
"Value": "",
},
"WorkingHours": {
"Description": "Hours for the agent to operate (09:00-17:00).",
"Required": False,
"Value": "",
},
"ServerVersion": {
"Description": "Server header for the control server.",
"Required": True,
"Value": "Microsoft-IIS/7.5",
},
"StagerURI": {
"Description": "URI for the stager. Example: stager.php",
"Required": False,
"Value": "",
},
"UserAgent": {
"Description":
"User-agent string to use for the staging request (default, none, or other).",
"Required": False,
"Value": "default",
},
"Proxy": {
"Description":
"Proxy to use for request (default, none, or other).",
"Required": False,
"Value": "default",
},
"ProxyCreds": {
"Description":
"Proxy credentials ([domain\]username:password) to use for request (default, none, or other).",
"Required": False,
"Value": "default",
},
"SlackURL": {
"Description":
"Your Slack Incoming Webhook URL to communicate with your Slack instance.",
"Required": False,
"Value": "",
},
}
# required:
self.mainMenu = mainMenu
self.threads = {
} # used to keep track of any threaded instances of this server
# optional/specific for this module
# set the default staging key to the controller db default
self.options["StagingKey"]["Value"] = str(
data_util.get_config("staging_key")[0])