From d980017ccf8860823fff514f49ae47c956e1c7f5 Mon Sep 17 00:00:00 2001
From: Sanjiv Kawa <sanjivkawa@gmail.com>
Date: Thu, 6 Dec 2018 17:10:24 -0500
Subject: [PATCH 1/2] Offline report generator

---
 OfflineReportGenerator.py | 427 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 427 insertions(+)
 create mode 100644 OfflineReportGenerator.py

diff --git a/OfflineReportGenerator.py b/OfflineReportGenerator.py
new file mode 100644
index 0000000..d856e22
--- /dev/null
+++ b/OfflineReportGenerator.py
@@ -0,0 +1,427 @@
+#!/usr/bin/env python
+
+
+import sqlite3, re, subprocess, time, cgi, os, sys
+import pandas as pd
+
+# Configurable Setting
+ReportsDirectory = "./"
+# End
+
+if not os.path.exists(ReportsDirectory):
+    os.makedirs(ReportsDirectory)
+
+DB = ""
+
+try:
+    DB = sys.argv[1]
+except IndexError:
+    DB = ""
+
+if len(DB) < 1:
+  print "Usage: python OfflineReportGenerator.py sqPowershellC2.SQLite"
+  exit()
+
+if not os.path.exists(DB):
+  print "%s Does not exist" % DB
+  exit()
+
+# Main program
+def replace_tabs(s):
+  s = s.replace("\t", "    ")
+  return s
+  
+  HostnameIP = "1.1.1.1"
+  ServerTAG = "\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nPoshC2 Server\\n%s" % HostnameIP
+  GV = GV.replace("POSHSERVER",ServerTAG)
+
+  implants = get_implants_all_db()
+  hosts = ""
+  daisyhosts = ""
+
+  for i in implants:
+    if "Daisy" not in i[15]:
+      if i[3] not in hosts:
+        hostname = i[11].replace("\\","\\\\")
+        hosts += "\"%s\" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (ServerTAG,hostname,i[3])
+
+  for i in implants:
+    if "Daisy" in i[15]:
+      hostname = i[11].replace("\\","\\\\")
+      if "\"%s\\n\\n\\n\\n \" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (i[9].replace('\x00','').replace("\\","\\\\").replace('@',' \\n '),hostname,i[3]) not in daisyhosts:
+        daisyhosts += "\"%s\\n\\n\\n\\n \" -> \"%s \\n %s\\n\\n\\n\\n \"; \n" % (i[9].replace('\x00','').replace("\\","\\\\").replace('@',' \\n '),hostname,i[3])
+
+  GV = GV.replace("DAISYHOSTS",daisyhosts)
+  GV = GV.replace("IMPLANTHOSTS",hosts)
+
+def get_implants_all_db():
+  conn = sqlite3.connect(DB)
+  conn.row_factory = sqlite3.Row
+  c = conn.cursor()
+  c.execute("SELECT * FROM Implants")
+  result = c.fetchall()
+  if result:
+    return result
+  else:
+    return None
+
+def get_htmlimplant( randomuri ):
+  conn = sqlite3.connect(DB)
+  conn.row_factory = sqlite3.Row
+  c = conn.cursor()
+  c.execute("SELECT * FROM Implants WHERE RandomURI=?",(randomuri,))
+  result = c.fetchone()
+  if result:
+    return result
+  else:
+    return None
+
+def generate_table(table):
+  HTMLPre = """<script>
+function SearchUser() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("SearchUser");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[2];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+function SearchHost() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("SearchHost");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[3];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+function SearchURL() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("SearchURL");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[9];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+function SearchCommand() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("CommandInput");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[3];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+function SearchOutput() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("OutputInput");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[4];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+function SearchTask() {
+  // Declare variables
+  var input, filter, table, tr, td, i;
+  input = document.getElementById("SearchTask");
+  filter = input.value.toUpperCase();
+  table = document.getElementById("PoshTable");
+  tr = table.getElementsByTagName("tr");
+
+  // Loop through all table rows, and hide those who don't match the search query
+  for (i = 0; i < tr.length; i++) {
+    td = tr[i].getElementsByTagName("td")[0];
+    if (td) {
+      if (td.innerHTML.toUpperCase().indexOf(filter) > -1) {
+        tr[i].style.display = "";
+      } else {
+        tr[i].style.display = "none";
+      }
+    }
+  }
+}
+
+
+// Do some tweaking to markup to make things easier
+function tweakMarkup(){
+
+  // Add classes to columns
+  var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot']
+  tbl = document.getElementById("PoshTable");
+  ths = tbl.getElementsByTagName("th");
+  for( i=0; i<ths.length; i++ ){
+    th = ths[i];
+    th.className = classes[i]
+  }
+  trs = tbl.getElementsByTagName("tr");
+  for( i=0; i<trs.length; i++ ){
+    tr = trs[i]
+    tds = tr.getElementsByTagName('td');
+    if( i % 2 == 0 ){
+      tr.className = 'even';
+    }else{
+      tr.className = 'odd';
+    }
+    for( j=0; j<tds.length; j++ ){
+      td = tds[j];
+      td.className = classes[j]
+      if( td.className.match(/output|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|id|taskid|randomuri|command|output|prompt|ImplantID|RandomURI|User|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot/) ){
+        td.className += ' hidden';
+        td.innerHTML = '<div>' + td.innerHTML + '</div>';
+        td.onclick = toggleHide
+      }
+    }
+  }
+
+}
+
+function toggleHide( evnt ){
+  td = evnt.target;
+  if( td.nodeName == 'DIV' ){
+    td = td.parentElement;
+  }
+  cls = td.className;
+  if( cls.match(/hidden/) ){
+    cls = cls.replace('hidden','shown');
+  }else{
+    cls = cls.replace('shown','hidden');
+  }
+  td.className = cls;
+}
+
+</script>
+
+<style>
+
+#CommandInput, #OutputInput, #SearchTask, #SearchHost, #SearchUser, #SearchURL {
+    background-image: url('/css/searchicon.png'); /* Add a search icon to input */
+    background-position: 10px 12px; /* Position the search icon */
+    background-repeat: no-repeat; /* Do not repeat the icon image */
+    width: 100%; /* Full-width */
+    font-size: 16px; /* Increase font-size */
+    padding: 12px 20px 12px 40px; /* Add some padding */
+    border: 1px solid #ddd; /* Add a grey border */
+    margin-bottom: 12px; /* Add some space below the input */
+}
+
+body {
+font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;
+}
+
+table {
+  font-family: monospace;
+  margin: 1em 0;
+  white-space: pre;
+  border-spacing: 0;
+  width: 100%;
+  table-layout: fixed;
+}
+  table tr {}
+  table tr.even{
+    background-color: #f2f2f2
+  }
+    table tr th,
+    table tr td {
+      text-align: left;
+      padding: 0.5em;
+      border: 1px solid #ccc;
+
+    }
+    table tr th {
+        background-color: #4CAF50;
+        color: white;
+    }
+    table tr td {
+      vertical-align: top;
+    }
+    table tr td.command {
+    }
+    table tr td.hidden div,
+    table tr td.shown div {
+      cursor: pointer;
+      background: top right url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAHkSURBVDjL3ZNvT1JhGMafb3G+TQqKECNFRIEDcvgXmB5IPNJmTdbC1SQ0S1xzZKXyT41TdpCOMyYtiXS9aW2uD8EbPsHV87RRmyLrdc92vbt/1/U8930/ZLYxASbpSwgz9SCin2+CHtJJwYoLgbITvvcOeN7a4S6NgTB45+cmCucvu8JMFOZCZQHpr0tYO12Ga9cKwpJz5xvIfH+GR2dxRGp+uSOs8Jxv39GKV+/gYS2OlXoSfNECMnMSRKw+hdS3BLI/Mlho3MPUR88lE+++ozlfjWG1kYJUCcNRsMCWM4NM02vf/hTgwsf+1uLpfTw4mcOtQ0G9aCDINiWmRiAdiAz+HTC6Nfi3QKx6uckjT3Pi0K1c1QPnzojahtsi3Zr2L/rfDGin5fE3o+pVxeYXRmVw3dA0Pddzfwz8Co82LFVERMuTbEyXJjGUMaqBgoBQ0Qfjmq5lWO3n9E/76IK8s4PCYHCytoDZgwhsWXPzosGNdYPszY1jTonBnxVgSuuhe6KhyfRDJGsJ3P0gQSqLDG7RBeE6PeF6Wie7X/MI5N2YLonoX+oFce1ZsXicQOJoHs68FdbNznBbAytaREthSHIE2lQPCF8cgT0/jLHtIQbD8sqEbrBuWYM+mqx93ANN8hp+AQOPtI0tirA3AAAAAElFTkSuQmCC);
+      background-repeat: no-repeat;
+
+      overflow: scroll;
+      word-wrap: break-all;
+      white-space:normal;
+      min-height: 25px;
+      width: 100%;
+    }
+    table tr td.shown div {
+      background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAHqSURBVDjL3ZHbThpRFIZ5i3kcLRYPqIgUGcDhNKBAqyKCobTR2NhiKmCstcWmBmtLPaCO4CQ6SBWVKInx0N70KbjhCf7O3ia0ZS686F0vVrL3Xvv7VvIvFQBVuOITQxfe6tj5IEPu9xW/ZxGcu2aJnAksxW9eYP42hmB5oBY48zAjJ240QoP7HH3j8xYhWgwiUgiAyxpFlTxZmL2ewvrPNBJX0wid+TF0zCsEHtEKGcbT4igWK0k8OwzBumGo0uZoeUCYuZzE0vUcVn6k8OSbUyFwyfDbSgKvShOIFsZgWTfU2K96pv5huOSm8KfvS/AXHAqBQ2CxcJFAsjwDe5YFgWkGdzCPoSMXHhed8BXs8B7YFALbVh/6Nx+RyWAzevR91qEu+Jf6XwRuecdkTSRp27YcVtaoCLE33Qn9sha6D+3oSrVB+07zO0RXzsx4chxmT18ifhqjSTcKej5qMbkfRVQM12EqILA8uRaRgnguhRE7mqJrahR0y5MjYgi+TTfsq1a0vVELVODYMVUJ/Lo0jZG8768d/1md71uhS2nBZxwYzwXRn2bxMNksqLgtoxgQ/RjOe2HK9FCrYaVLIehY1KB9oYVpnVfXnKscrMsmqBNNEm2a13ol05c7+L7SzD1gWpLNVXW8SST3X7gvtJUuvnAlAAAAAElFTkSuQmCC);
+    }
+    table tr td.output {
+      width: 100px;
+    }
+    table tr td.hidden div {
+      height: 1em;
+      overflow: hidden;
+      cursor: pointer;
+    }
+    table tr th.id {
+      width: 3%;
+      min-width: 3em;
+    }
+    table tr th.taskid {
+      width: 12%;
+    }
+    table tr th.randomuri {
+      width: 15%;
+    }
+    table tr th.prompt {
+      width: 10%;
+    }
+
+p {
+margin-left: 20px;
+font-size: 12px;
+}
+
+</style>
+
+<pre>
+__________            .__.     _________  ________
+\_______  \____  _____|  |__   \_   ___ \ \_____  \
+|     ___/  _ \/  ___/  |  \  /    \  \/  /  ____/
+|    |  (  <_> )___ \|   Y  \ \     \____/       \
+|____|   \____/____  >___|  /  \______  /\_______
+                  \/     \/          \/         \/
+=============== v4.0 www.PoshC2.co.uk =============
+</pre>
+"""
+
+  if table == "CompletedTasks":
+    HTMLPre += """<input type="text" id="SearchTask" onkeyup="SearchTask()" placeholder="Search for task..">
+<input type="text" id="CommandInput" onkeyup="SearchCommand()" placeholder="Search for command..">
+<input type="text" id="OutputInput" onkeyup="SearchOutput()" placeholder="Search for output..">
+"""
+
+  if table == "Implants":
+    HTMLPre += """<input type="text" id="SearchHost" onkeyup="SearchHost()" placeholder="Search for host..">
+<input type="text" id="SearchUser" onkeyup="SearchUser()" placeholder="Search for user..">
+<input type="text" id="SearchURL" onkeyup="SearchURL()" placeholder="Search for URL..">
+"""
+  conn = sqlite3.connect(DB)
+  pd.set_option('display.max_colwidth', -1)
+  pd.options.mode.chained_assignment = None
+  frame = pd.read_sql_query("SELECT * FROM %s" % table, conn)
+
+  # encode the Output column
+  if table == "CompletedTasks":
+    for index, row in frame.iterrows():
+      frame.loc[index, "Command"] = replace_tabs(cgi.escape(row["Command"]))
+      frame.loc[index, "Output"] = replace_tabs(cgi.escape(row["Output"]))
+
+  # convert the random uri to original hostname
+  if table == "CompletedTasks":
+    framelen = frame['RandomURI'].count()
+    for x in range(0, framelen):
+      try:
+        frame['RandomURI'][x]
+        a = get_htmlimplant(str(frame['RandomURI'][x]))
+        frame['RandomURI'][x] = a[2] + " @ " + a[3]
+      except Exception as e:
+        print e
+        a = "None"
+
+  reportname = "%s%s.html" % (ReportsDirectory,table)
+  output_file = open(reportname, 'w')
+  HTMLPost = (frame.to_html(classes='table',index=False,escape=False)).replace("\\r\\n","</br>")
+  HTMLPost = HTMLPost.replace("\\n","</br>")
+  HTMLPost = re.sub(u'\x00', '', HTMLPost)
+  HTMLPost = HTMLPost.replace("      <td>","      <td class=\"TableColumn\">")
+  HTMLPost = HTMLPost.replace("<tr style=\"text-align: right;\">","<tr>")
+  HTMLPost = HTMLPost.replace("<table border=\"1\" class=\"dataframe table\">","<table id=\"PoshTable\" border=\"1\" class=\"PoshTableClass\">")
+  HTMLPost = HTMLPost.replace("<th>CompletedTaskID</th>","<th class=\"CompletedTaskID\">ID</th>")
+  HTMLPost = HTMLPost.replace("<th>ID</th>","<th class=\"ID\">ID</th>")
+  HTMLPost = HTMLPost.replace("<th>TaskID</th>","<th class=\"TaskID\">TaskID</th>")
+  HTMLPost = HTMLPost.replace("<th>RandomURI</th>","<th class=\"RandomURI\">RandomURI</th>")
+  HTMLPost = HTMLPost.replace("<th>Command</th>","<th class=\"Command\">Command</th>")
+  HTMLPost = HTMLPost.replace("<th>Output</th>","<th class=\"Output\">Output</th>")
+  HTMLPost = HTMLPost.replace("<th>Prompt</th>","<th class=\"Prompt\">Prompt</th>")
+  HTMLPost = HTMLPost.replace("<th>ImplantID</th>","<th class=\"ImplantID\">ImplantID</th>")
+  HTMLPost = HTMLPost.replace("<th>User</th>","<th class=\"User\">User</th>")
+  HTMLPost = HTMLPost.replace("<th>Hostname</th>","<th class=\"Hostname\">Hostname</th>")
+  HTMLPost = HTMLPost.replace("<th>IpAddress</th>","<th class=\"IpAddress\">IpAddress</th>")
+  HTMLPost = HTMLPost.replace("<th>Key</th>","<th class=\"Key\">Key</th>")
+  HTMLPost = HTMLPost.replace("<th>FirstSeen</th>","<th class=\"FirstSeen\">FirstSeen</th>")
+  HTMLPost = HTMLPost.replace("<th>LastSeen</th>","<th class=\"LastSeen\">LastSeen</th>")
+  HTMLPost = HTMLPost.replace("<th>PID</th>","<th class=\"PID\">PID</th>")
+  HTMLPost = HTMLPost.replace("<th>Proxy</th>","<th class=\"Proxy\">Proxy</th>")
+  HTMLPost = HTMLPost.replace("<th>Arch</th>","<th class=\"Arch\">Arch</th>")
+  HTMLPost = HTMLPost.replace("<th>Domain</th>","<th class=\"Domain\">Domain</th>")
+  HTMLPost = HTMLPost.replace("<th>Alive</th>","<th class=\"Alive\">Alive</th>")
+  HTMLPost = HTMLPost.replace("<th>Sleep</th>","<th class=\"Sleep\">Sleep</th>")
+  HTMLPost = HTMLPost.replace("<th>ModsLoaded</th>","<th class=\"ModsLoaded\">ModsLoaded</th>")
+  HTMLPost = HTMLPost.replace("<th>Pivot</th>","<th class=\"Pivot\">Pivot</th>")
+  HTMLPost = HTMLPost + """
+<script>
+tweakMarkup();
+</script>"""
+  output_file.write("%s%s" % (HTMLPre.encode('utf-8'),HTMLPost.encode('utf-8')))
+  output_file.close()
+  print reportname
+
+generate_table("CompletedTasks")
+generate_table("C2Server")
+generate_table("Creds")
+generate_table("Implants")

From 904c2fe3662ecc8568a10a45dce489b9dd7cb56f Mon Sep 17 00:00:00 2001
From: Ben Turner <benpturner@yahoo.com>
Date: Thu, 6 Dec 2018 22:13:43 +0000
Subject: [PATCH 2/2] Removed versioning and typo

---
 OfflineReportGenerator.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/OfflineReportGenerator.py b/OfflineReportGenerator.py
index d856e22..7519b2f 100644
--- a/OfflineReportGenerator.py
+++ b/OfflineReportGenerator.py
@@ -19,7 +19,7 @@ except IndexError:
     DB = ""
 
 if len(DB) < 1:
-  print "Usage: python OfflineReportGenerator.py sqPowershellC2.SQLite"
+  print "Usage: python OfflineReportGenerator.py PowershellC2.SQLite"
   exit()
 
 if not os.path.exists(DB):
@@ -345,7 +345,7 @@ __________            .__.     _________  ________
 |    |  (  <_> )___ \|   Y  \ \     \____/       \
 |____|   \____/____  >___|  /  \______  /\_______
                   \/     \/          \/         \/
-=============== v4.0 www.PoshC2.co.uk =============
+================= www.PoshC2.co.uk ===============
 </pre>
 """