def graphviz():
GV = """
digraph "PoshC2" {
subgraph proxy {
node [color=white, fontcolor=red, fontsize=15, shapefile="%s/firewall.png"];
"POSHSERVER";
}
subgraph implant {
node [color=white, fontcolor=white, fontsize=15, shapefile="%s/implant.png"];
IMPLANTHOSTS
}
subgraph daisy {
node [color=white, fontcolor=white, fontsize=15, shapefile="%s/implant.png"];
DAISYHOSTS
}
}
""" % (ImagesDirectory, ImagesDirectory, ImagesDirectory)
ServerTAG = "\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nPoshC2 Server\\n%s" % PayloadCommsHost.replace(
"\"", "")
GV = GV.replace("POSHSERVER", ServerTAG)
implants = get_implants_all()
hosts = ""
daisyhosts = ""
for implant in implants:
if "Daisy" not in implant.Pivot:
if implant.Hostname not in hosts:
domain = implant.Domain.replace("\\", "\\\\")
hosts += "\"%s\" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (
ServerTAG, domain, implant.Hostname)
else:
domain = implant.Domain.replace("\\", "\\\\")
if "\"%s\\n\\n\\n\\n \" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (
implant.Pivot.replace('\x00', '').replace(
"\\", "\\\\").replace('@', ' \\n '), domain,
implant.Hostname) not in daisyhosts:
daisyhosts += "\"%s\\n\\n\\n\\n \" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (
implant.Pivot.replace(
'\x00', '').replace("\\", "\\\\").replace(
'@', ' \\n '), domain, implant.Hostname)
GV = GV.replace("DAISYHOSTS", daisyhosts)
GV = GV.replace("IMPLANTHOSTS", hosts)
output_file = open("%sPoshC2.dot" % ReportsDirectory, 'w')
output_file.write("%s" % GV)
output_file.close()
subprocess.check_output("dot -T png -o %sPoshC2.png %sPoshC2.dot" %
(ReportsDirectory, ReportsDirectory),
shell=True)
print("")
print("GraphViz Generated PoshC2.png")
time.sleep(1)
def do_opsec(user, command):
implants = get_implants_all()
comtasks = get_tasks()
hosts = ""
uploads = ""
urls = get_c2urls()
urlformatted = "ID Name URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n"
for i in urls:
urlformatted += "%s %s %s %s %s %s %s %s \n" % (
i[0], i[1], i[2], i[3], i[4], i[5], i[6], i[7])
users = ""
if implants:
for implant in implants:
if implant.Hostname not in hosts:
hosts += "%s \n" % implant.Hostname
if comtasks:
for task in comtasks:
implant = get_implantdetails(task[1])
command = task[2].lower()
output = task[3].lower()
if implant.User not in users:
users += "%s\\%s @ %s\n" % (implant.Domain, implant.User,
implant.Hostname)
if "invoke-pbind" in command and "connected" in output:
tg = re.search("(?<=-target )\\S*", str(command))
if tg[0] not in hosts:
hosts += "%s \n" % tg[0]
if "uploading file" in command:
uploadedfile = command
uploadedfile = uploadedfile.partition(
"uploading file: ")[2].strip()
filehash = uploadedfile.partition(" with md5sum:")[2].strip()
uploadedfile = uploadedfile.partition(
" with md5sum:")[0].strip()
uploadedfile = uploadedfile.strip('"')
uploads += "%s\t%s\t%s\n" % (implant.User, filehash,
uploadedfile)
if "installing persistence" in output:
line = command.replace('\n', '')
line = line.replace('\r', '')
filenameuploaded = line.rstrip().split(":", 1)[1]
uploads += "%s %s \n" % (implant.User, filenameuploaded)
if "written scf file" in output:
uploads += "%s %s \n" % (implant.User, output)
creds, hashes = parse_creds(get_creds())
print_good(
"\nUsers Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s"
% (users, hosts, urlformatted, uploads, creds, hashes))
print_good("\nOpSec Events:")
do_get_opsec_events(user, command)