Commit Graph

2008 Commits (9a72d0cbe7f939005decc651e59c3eaa45c322c3)

Author SHA1 Message Date
William Vu 639f341b21 Clean up module 2017-06-26 15:08:37 -05:00
David Maloney 722d9a278c
Land #8580, cachedump iteration count fix
lands rogdham's fixes for the ms cache dump post module
2017-06-19 14:04:07 -05:00
David Maloney 6d38dffbe1
convert conditionals to case statements
just a little tidying up by using case statements
2017-06-19 13:40:00 -05:00
Rogdham a01796d114 Make hashdump module work on Windows 10, fix #7936 2017-06-18 16:35:17 +02:00
Rogdham 75fab600c5 Add iteration count to cachedump module, fix #8560 2017-06-17 22:23:41 +02:00
Rogdham 86f5f3f002 Fix AES key length in cachedump module, fix #8525 2017-06-17 11:20:29 +02:00
David Maloney 42aa2e5acf
add some attempts at debugging to ntds
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
Borja Merino 7077ac0523 Meterpreter Post-exploitation module to mount vmdk files 2017-05-25 11:47:04 +02:00
bwatters-r7 461649ed34
Land #8378, Add check in archmigrate to prevent privdesc 2017-05-23 14:37:29 -05:00
Carter c73e7673b1 Please the rubocop god 2017-05-23 15:13:55 -04:00
Carter e945773576 Update archmigrate.rb 2017-05-23 14:40:42 -04:00
Carter 5ee570bb9c Fix non-uniform spelling and capitalization 2017-05-15 08:31:01 -04:00
Carter ce7b967a13 Update archmigrate.rb 2017-05-13 13:35:48 -04:00
Carter 78b0fb00da I committed to the wrong branch 2017-05-13 13:35:13 -04:00
Carter 0bd11062e4 Ass SYSTEM check to archmigrate 2017-05-13 13:28:28 -04:00
Brent Cook 099fc0176a move autoroute to a more sensible location 2017-05-10 23:01:02 -05:00
darkbushido 81bcf2ca70 updating all LHOST to use the new opt type 2017-05-04 12:57:50 -05:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
William Webb 48560d29f3
remove keyscan_extract and modify calling modules 2017-04-13 10:42:28 -05:00
bwatters-r7 dd5a91f153
Land #8008, Added archmigrate module for windows sessions 2017-04-05 08:55:27 -05:00
Koen Riepe 08b2a97293
Changed styling to be more in line with rubocop. 2017-04-05 10:05:56 +02:00
Koen Riepe 628827cda9
Added some documentation and gracefull error handeling. 2017-03-31 12:45:30 +02:00
bwatters-r7 691811af5a
Land #7994, Add Windows Gather DynaZIP Saved Password Extraction post module 2017-03-29 16:04:09 -05:00
bwatters-r7 be41df6de0
Land #8036, Fix run_as_psh with domain accounts 2017-03-21 09:05:50 -05:00
Brent Cook e2c6f959f4
Land #8129, s/colom/colon/g 2017-03-19 22:14:38 -05:00
Carter ae883d7f02 Update multi_meterpreter_inject.rb 2017-03-19 00:27:28 -04:00
Carter 661bf6e492 Update multi_meterpreter_inject.rb 2017-03-19 00:27:03 -04:00
Carter 93a6614ab3 Update multi_meterpreter_inject.rb 2017-03-19 00:25:46 -04:00
William Webb 1180bd6ed7
Land #8037, priv_migrate improvements 2017-03-17 13:19:51 -05:00
William Vu 456ddcebc0 Remove nil values that are default already
There are four lights!
2017-03-15 15:51:22 -05:00
Rich Whitcroft 04f11b0bf7 fix migrate by process name 2017-03-14 17:27:46 -04:00
Louis 759b67c565 Fix ru_as_psh with domain accounts
The current versions has too many escape backslashes, as a result, running run_as_psh for domain users does not work.
Also added support for DOMAIN\\User format in the USER parameter.
2017-03-01 13:38:15 +11:00
Josh Hale def5088097 Change NOFAIL default to false 2017-02-27 20:37:58 -06:00
Josh Hale 2f5dd38957 Update Admin target list and module description 2017-02-27 20:19:59 -06:00
Josh Hale 3333019e5f Check if current admin proc is in target list 2017-02-27 18:55:25 -06:00
Josh Hale 717879f3df Downcase targets and current proc name 2017-02-27 18:28:46 -06:00
Josh Hale 8e8e7244f4 Add exit language 2017-02-27 18:07:15 -06:00
Josh Hale e1d76b8ff6 Add more error handling 2017-02-27 17:06:16 -06:00
Josh Hale ffb54a13fe Add NOFAIL datastore option 2017-02-27 12:41:18 -06:00
Koen Riepe 264cfc9bd4
Added OPTIONS to the module 2017-02-27 13:24:31 +01:00
Josh Hale 81efe096aa Update Author Handle 2017-02-26 21:01:19 -06:00
Koen Riepe 45b1f796e4
Added archmigrate module to metasploit. 2017-02-24 10:29:19 +01:00
Brendan Coles 0b34efab43 Add documentation 2017-02-23 06:59:05 +00:00
Brendan Coles dc30dd70da Add Windows Gather DynaZIP Saved Password Extraction post module 2017-02-22 22:20:19 +00:00
Brent Cook 15a4ec629b remove TRUE 2017-01-22 10:20:03 -06:00
Brent Cook 836da6177f Cipher::Cipher is deprecated 2017-01-22 10:20:03 -06:00
Brent Cook f69b4a330e handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations 2017-01-22 10:20:03 -06:00
Brent Cook fae4751771
Land #7744, update kiwi extension to Mimikatz 2.1 2016-12-29 16:22:45 -06:00
OJ 18e69b85af
Update the golden ticket module to work with new kiwi 2016-12-23 10:30:06 +10:00
bwatters_r7 e646a8d5c2 Please the rubocop gods (unless they are dumb) 2016-12-21 16:13:53 -08:00
p3nt4 13ccfd7bb3 Update run_as_psh.rb 2016-12-21 09:44:57 +11:00
p3nt4 a9b78e37d2 Update typos 2016-12-21 09:43:18 +11:00
p3nt4 cc99aaafc6 Corrected as per reviews 2016-12-21 09:42:26 +11:00
p3nt4 b9fd1db5fa Add module to runas ysing powershell 2016-12-20 14:38:19 +11:00
Brendan 9b678c2bdd
Land #7685, Add mosule to change user passwords by editing SAM registry 2016-12-16 13:11:40 -06:00
Brent Cook 52346c3fa8 fix renamed rex text 2016-12-15 15:31:00 -06:00
p3nt4 deec6eccdf Update hashcarve.rb 2016-12-12 17:09:04 +11:00
p3nt4 3e80ee1d6a Better Error Handling 2016-12-12 17:07:47 +11:00
p3nt4 7b4dce5e7e One left! 2016-12-09 16:27:40 +11:00
p3nt4 74c48f5fa4 I'll get there! 2016-12-09 16:24:49 +11:00
p3nt4 c898e768f6 Struggling with tidyness 2016-12-09 16:00:32 +11:00
p3nt4 586b2d92e2 Corrected status prints 2016-12-09 15:45:30 +11:00
p3nt4 fb360e69c0 Initial Commit
This module "carves" a hash in the registries to set it as a user password.

The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change  a user's password and revert it without cracking its hash.

I have tested it in Windows 7, and 8.1. Should work on every version though.

Usage:
 run post/windows/manage/hashcarve user=test pass=<password>
 run post/windows/manage/hashcarve user=test pass=<nthash>
 run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>

This work is based on the hashdump implementation.
2016-12-09 15:41:01 +11:00
OJ e5ea4a53d3
Fix typo in windows cred phish module 2016-11-04 13:26:10 +10:00
OJ ffb53b7ca3
Tidy arch check in meterpreter inject 2016-11-01 01:51:12 +10:00
OJ 640827c24b
Final pass of regex -> string checks 2016-10-29 14:59:05 +10:00
OJ 57eabda5dc
Merge upstream/master 2016-10-29 13:54:31 +10:00
OJ 751742face
Fix typo in arch check for inject script 2016-10-29 08:25:23 +10:00
OJ 1ca2fe1398
More platform/arch/session fixes 2016-10-29 08:11:20 +10:00
OJ 1d617ae389
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
David Maloney 6a31dad678
clean up some style guide issues with rubocop
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
drforbin 94979f4541 changed formatting for else statements 2016-10-25 09:42:00 -05:00
drforbin 6f3c20069b fixed formatting errors for travis 2016-10-25 09:42:00 -05:00
drforbin 0ec153eb9c changed formatting, changed to OptPath. cleaned unneeded code 2016-10-25 09:41:59 -05:00
drforbin 3b9a441382 cleaned up write_target, and variables REXE 2016-10-25 09:41:59 -05:00
drforbin c3ada74728 changed formatting to comform with travis 2016-10-25 09:41:59 -05:00
drforbin 0395d57512 formatting changes and design changes. tested 2016-10-25 09:41:58 -05:00
drforbin 337e3b6cce added persistence_exe.rb to windows post modules 2016-10-25 09:41:58 -05:00
OJ 022830634b
Rejig platform to use windows instead of win32/win64 2016-10-14 10:10:04 +10:00
Brent Cook bd24e7eba0 more cleanups and print output on auto-run 2016-10-08 21:14:26 -05:00
Brent Cook 5284db6b58 module cleanup 2016-10-08 20:17:29 -05:00
Brent Cook 199bf8e726 cleanups and update to require 4.0 CLR by default 2016-10-08 15:24:13 -05:00
RageLtMan 44c5fc3250 Sync build_net_code post module upstream
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.

Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
wchen-r7 0e57808914 Update to class name MetasploitModule 2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
Brent Cook 60e728ec5c
Land #7065, Correct display errors for SHA-512 hashes with MS SQL Server 2012 2016-09-15 18:06:02 -05:00
Brent Cook 8b050fcc9b simplify cleanup code, remove duplicate logic 2016-09-15 18:05:34 -05:00
wchen-r7 89705cc803 Avoid potential undef method error '+' for nil 2016-09-13 11:13:02 -05:00
wchen-r7 50447fc4cf Fix post/windows/gather/credentials/steam for an empty env var 2016-09-13 11:04:42 -05:00
scriptjunkie a0e05d4c4c
Land #7287, mdaemon cred dumper 2016-09-10 08:43:07 -05:00
Brent Cook a81f351cb3
Land #7274, Remove deprecated modules 2016-09-09 12:01:59 -05:00
Agora Security 00f09d19b1 SMTP Typo
Correct SMTP Type (before SMPT)
2016-09-09 01:36:37 -05:00
wchen-r7 a9c3c5d391 Fix typos 2016-09-07 15:40:10 -05:00
wchen-r7 831c7a08a8 Check environment variables before using for winscp module 2016-09-07 15:24:22 -05:00
William Vu fed2ed444f Remove deprecated modules
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
AgoraSecurity d65ca818ea Add validation of session type 2016-08-31 11:29:04 -05:00
AgoraSecurity ce7d4cf7f7 Removed "shell" from SessionTypes
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
2016-08-31 00:12:31 -05:00
AgoraSecurity 401044ee43 Fix error when saving creds 2016-08-30 16:49:31 -05:00
Brendan bc6a529388 Added some error checking to CredEnuerateA() railgun call 2016-08-26 16:21:54 -05:00
Louis Sato 4a6b2ef8de
fixing typo for reference for golden ticket 2016-08-24 10:55:36 -05:00