13ccfd7bb3
Update run_as_psh.rb
2016-12-21 09:44:57 +11:00
a9b78e37d2
Update typos
2016-12-21 09:43:18 +11:00
cc99aaafc6
Corrected as per reviews
2016-12-21 09:42:26 +11:00
b9fd1db5fa
Add module to runas ysing powershell
2016-12-20 14:38:19 +11:00
9b678c2bdd
Land #7685 , Add mosule to change user passwords by editing SAM registry
2016-12-16 13:11:40 -06:00
52346c3fa8
fix renamed rex text
2016-12-15 15:31:00 -06:00
deec6eccdf
Update hashcarve.rb
2016-12-12 17:09:04 +11:00
3e80ee1d6a
Better Error Handling
2016-12-12 17:07:47 +11:00
7b4dce5e7e
One left!
2016-12-09 16:27:40 +11:00
74c48f5fa4
I'll get there!
2016-12-09 16:24:49 +11:00
c898e768f6
Struggling with tidyness
2016-12-09 16:00:32 +11:00
586b2d92e2
Corrected status prints
2016-12-09 15:45:30 +11:00
fb360e69c0
Initial Commit
...
This module "carves" a hash in the registries to set it as a user password.
The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change a user's password and revert it without cracking its hash.
I have tested it in Windows 7, and 8.1. Should work on every version though.
Usage:
run post/windows/manage/hashcarve user=test pass=<password>
run post/windows/manage/hashcarve user=test pass=<nthash>
run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>
This work is based on the hashdump implementation.
2016-12-09 15:41:01 +11:00
e5ea4a53d3
Fix typo in windows cred phish module
2016-11-04 13:26:10 +10:00
ffb53b7ca3
Tidy arch check in meterpreter inject
2016-11-01 01:51:12 +10:00
640827c24b
Final pass of regex -> string checks
2016-10-29 14:59:05 +10:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
751742face
Fix typo in arch check for inject script
2016-10-29 08:25:23 +10:00
1ca2fe1398
More platform/arch/session fixes
2016-10-29 08:11:20 +10:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
6a31dad678
clean up some style guide issues with rubocop
...
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
94979f4541
changed formatting for else statements
2016-10-25 09:42:00 -05:00
6f3c20069b
fixed formatting errors for travis
2016-10-25 09:42:00 -05:00
0ec153eb9c
changed formatting, changed to OptPath. cleaned unneeded code
2016-10-25 09:41:59 -05:00
3b9a441382
cleaned up write_target, and variables REXE
2016-10-25 09:41:59 -05:00
c3ada74728
changed formatting to comform with travis
2016-10-25 09:41:59 -05:00
0395d57512
formatting changes and design changes. tested
2016-10-25 09:41:58 -05:00
337e3b6cce
added persistence_exe.rb to windows post modules
2016-10-25 09:41:58 -05:00
022830634b
Rejig platform to use windows instead of win32/win64
2016-10-14 10:10:04 +10:00
bd24e7eba0
more cleanups and print output on auto-run
2016-10-08 21:14:26 -05:00
5284db6b58
module cleanup
2016-10-08 20:17:29 -05:00
199bf8e726
cleanups and update to require 4.0 CLR by default
2016-10-08 15:24:13 -05:00
44c5fc3250
Sync build_net_code post module upstream
...
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.
Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
0e57808914
Update to class name MetasploitModule
2016-10-08 14:06:35 -05:00
36b989e6d7
Initial import of .NET compiler and persistence
...
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
60e728ec5c
Land #7065 , Correct display errors for SHA-512 hashes with MS SQL Server 2012
2016-09-15 18:06:02 -05:00
8b050fcc9b
simplify cleanup code, remove duplicate logic
2016-09-15 18:05:34 -05:00
89705cc803
Avoid potential undef method error '+' for nil
2016-09-13 11:13:02 -05:00
50447fc4cf
Fix post/windows/gather/credentials/steam for an empty env var
2016-09-13 11:04:42 -05:00
a0e05d4c4c
Land #7287 , mdaemon cred dumper
2016-09-10 08:43:07 -05:00
a81f351cb3
Land #7274 , Remove deprecated modules
2016-09-09 12:01:59 -05:00
00f09d19b1
SMTP Typo
...
Correct SMTP Type (before SMPT)
2016-09-09 01:36:37 -05:00
a9c3c5d391
Fix typos
2016-09-07 15:40:10 -05:00
831c7a08a8
Check environment variables before using for winscp module
2016-09-07 15:24:22 -05:00
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
d65ca818ea
Add validation of session type
2016-08-31 11:29:04 -05:00
ce7d4cf7f7
Removed "shell" from SessionTypes
...
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
2016-08-31 00:12:31 -05:00
401044ee43
Fix error when saving creds
2016-08-30 16:49:31 -05:00
bc6a529388
Added some error checking to CredEnuerateA() railgun call
2016-08-26 16:21:54 -05:00
4a6b2ef8de
fixing typo for reference for golden ticket
2016-08-24 10:55:36 -05:00
870669bdf7
handle exception in getsystem module
2016-08-15 23:51:05 -05:00
eb73a6914d
replace old rex::ui::text::table refs
...
everywhere we called the class we have now rewritten it
to use the new namespace
MS-1875
2016-08-10 13:30:09 -05:00
b61aaef03e
Fix undercase issue with userlist.dat
...
Remove the 2nd element of the array at line 102.
Add .downcase for line 103.
Fix to find filenames on systems that created the userlist.dat on uppercase.
2016-07-29 15:54:34 -05:00
6c7cc061ea
Minor formatting tweaks.
2016-07-28 16:29:42 -05:00
ef2899dfd4
msftidy updates
2016-07-28 16:29:42 -05:00
7b4bb75294
Create avira_password.rb
2016-07-28 16:29:42 -05:00
df15eebdf8
Land #7106 , multiple keylog_recorder improvements
2016-07-25 14:54:06 -05:00
352d63480d
scriptjunkie's recs and fixes additional issues
2016-07-21 22:54:48 -05:00
722133491d
Wording change in advanced options and doc
2016-07-16 22:57:36 -05:00
9cb9a2f69d
Update for windows keylog_recorder
2016-07-16 22:38:10 -05:00
dcd09f17bd
New Post Module
...
New post module for windows.
It gathers the users and cracks the password of MDaemon Mail server.
NOTE: The module have a bug and I would appreciate help fixing it (problem when storing credentials)
2016-07-16 19:07:27 -05:00
e3801c425b
Fix typo in USB error message
2016-07-16 09:43:48 -04:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
9d13df3a25
Corrected for console width errors causing erroneous carriage returns, resulting in incorrect hash extraction on ms sql server 2012
2016-07-04 16:23:07 -04:00
81f30ca962
Land #6966 , Microsoft Office Trusted Locations Enumeration
2016-06-21 21:45:39 +01:00
95517b4a45
Avoid exception on missing key in prefs.
2016-06-20 09:26:10 -05:00
6cb2a6970e
Fix unused SessionType in two modules
...
Pretty sure it should be "shell."
2016-06-19 23:41:34 -05:00
0451d4f079
Cleanup
2016-06-15 22:41:59 +01:00
8a68e86a0a
Update enum_trusted_locations.rb
...
Changed some colours
2016-06-15 13:42:38 +01:00
48714184f3
Update enum_trusted_locations.rb
...
Added product it found the locations in.
2016-06-15 13:41:19 +01:00
1ba33ff7f8
Fixed MSFTidy
...
Fixed MSFTidy stuff
2016-06-12 13:00:44 +01:00
a2a97d0271
Update enum_trusted_locations.rb
...
Fix some changes, I had emet references.
2016-06-12 11:06:20 +01:00
2e03c3511e
Add enum_trusted_locations.rb
...
Quickly enumerates trusted locations for file planting :)
2016-06-12 10:59:57 +01:00
233186c833
Check presence in local admin group
...
As the "is_admin?" function only checks if the current session effectively has admin rights, I offer to add a check to know if the current user is in the local admin group using the "is_in_admin_group?" function. This information is better suited to check if admin rights are obtainable using the "bypassuac" module.
2016-06-09 17:47:09 +02:00
194a84c793
Modify stdapi so it also uses exist? over exists? for ruby parity
...
Also add an alias for backward compatibility.
2016-04-23 17:31:22 -04:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
da9f156913
Print IP in print_*
2016-04-22 16:03:31 -05:00
3aa02891e9
Bring #6801 up to date with upstream-master
2016-04-22 14:04:26 -05:00
16ff74e293
syntax check / code reduce
2016-04-22 10:53:03 +08:00
ca4bcfe62a
Update enum_emet.rb
...
Cleaned up a bit more
2016-04-22 00:41:10 +01:00
c81d0ade3f
Update, implemented
...
Took @bcook-r7's advice
2016-04-22 00:37:03 +01:00
30ac6b4a93
enum_emet
...
A module to enumerate all the EMET wildcard paths.
2016-04-22 00:20:25 +01:00
57ab974737
File.exists? must die
2016-04-21 00:47:07 -04:00
57467b94d9
Fix RegExp evaluation in is_routable? function
2016-04-20 10:22:46 -05:00
48556483b5
Fix a few comments
2016-04-17 19:16:52 -05:00
32590c89b7
Add interface name to routing status message
2016-04-17 14:15:50 -05:00
fb7194c125
Work on autoroute.md
2016-04-17 00:04:42 -05:00
a5e48b6112
Add default option and clean up comments
2016-04-16 19:50:08 -05:00
6550e0bc1b
Finish up autoadd_interface_routes
2016-04-16 18:42:41 -05:00
b3d199c055
Add get_subnet_octet and test
2016-04-16 14:57:39 -05:00
b1064af082
Initial get_subnet testing
2016-04-16 13:50:15 -05:00
018e7807fe
Identify routable networks
2016-04-15 22:21:54 -05:00
e8863ba09d
Initial autoadd_interface_routes work
2016-04-15 22:13:17 -05:00
5f5c330f2b
Initial Testing of Interface Info Gather
2016-04-14 21:59:48 -05:00
c39410a070
Fix autoadd problem
2016-04-13 23:31:27 -05:00
cba7353e1d
Fix another typo?
2016-04-07 17:12:11 -05:00
ff9d94218d
Fix a typo?
2016-04-07 17:11:42 -05:00
a3c390ee9d
Change class name to MetasploitModule
2016-04-07 17:11:08 -05:00
f09637a1c7
Bring #6377 up to date with upstream-master
2016-04-07 17:06:49 -05:00
0d3eb4f055
Change class name to MetasploitModule
2016-04-07 12:15:32 -05:00
0f56dbd858
Bring #6378 up to date with upstream-master
2016-04-07 12:10:55 -05:00
ac051bda7f
Add check is_routable?, and change netmask if needed
2016-04-06 15:28:54 -05:00
d240e0b3a2
Bring #6515 up to date with upstream-master
2016-04-06 11:27:32 -05:00
4074634a13
Land #6713 , Add post exploit module for HeidiSQL's stored passwords
2016-03-30 12:10:30 -05:00
0c6b4d81c8
More proper exception handling
2016-03-30 12:09:40 -05:00
aaa1515ba0
Print rhost:rport
2016-03-30 11:56:09 -05:00
397d5580be
Use MetasploitModule convention
2016-03-30 15:44:37 +01:00
f8628e3438
Merge remote-tracking branch 'upstream/master' into wdigest_enable
2016-03-30 15:44:21 +01:00
9e45f0c104
Minor tidies
2016-03-30 15:29:03 +01:00
976932ed43
Initial commit
2016-03-26 12:00:25 +01:00
d54bbdf9a3
Land #6566 , filezilla xml file locations
2016-03-17 16:27:24 -05:00
115a033036
Fix parsing the Last Server xml
2016-03-17 16:27:02 -05:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
cd84ac37d6
Land #6569 , check if USERNAME env var exists before using in enum_chrome post module
2016-03-13 15:12:51 -05:00
c89e53d0a3
Land #6666 , fix filezilla_server display bug showing the session ID
2016-03-13 13:56:44 -05:00
51cdb57d42
Fix #6569 , Add a check for USERNAME env var in enum_chrome post mod
...
Fix #6569
Depending on the context, the USERNAME environment variable might
not always be there.
2016-03-11 15:36:44 -06:00
8217d55e25
Fix display issue when SESSION is -1
2016-03-11 11:37:22 -06:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
c7f9fbcdfa
Change to enable/disable
2016-03-06 04:31:24 +00:00
6b510005da
Reverse os checks
2016-03-06 04:31:23 +00:00
0e52fda708
Initial tidy
2016-03-06 04:31:23 +00:00
8a15c36770
Land #6563 , VNC creds scraper uninstall location
2016-02-19 15:01:23 -06:00
bfd204ac50
Fix some cosmetic issues
2016-02-19 15:00:56 -06:00
bc74ceb8c5
Handle errors when parsing interfaces.xml, add check for several locations
2016-02-11 15:56:58 +01:00
8118198628
Add vprint of the exception message
2016-02-10 22:47:51 +01:00
1637891ece
Add check for the uninstall location in vnc post module
2016-02-10 20:30:41 +01:00
62dd82e653
Make fix easier to read
2016-02-10 11:24:45 -06:00
4653c27167
Fix minor grammar error in description
2016-02-09 21:24:40 -06:00
08a41b0a31
Fix issue when target PID not owned by session
2016-02-09 21:22:50 -06:00
3d4b7af6bb
Update description
2016-01-30 14:35:03 -06:00
413ea53984
Add found flag and touchup code
2016-01-30 14:31:45 -06:00
3abb6feb3f
Add autoadd feature to autoroute.rb
2016-01-29 21:34:22 -06:00
315d079ae8
Land #6402 , Add Post Module for Windows Priv Based Meterpreter Migration
...
We are also replacing smart_migrate with this.
2016-01-13 01:21:32 -06:00
6deb57dca3
Deprecate post/windows/manage/smart_migrate and other things
...
This includes:
* Give credit to thelightcosine in priv_migrate
* Deprecate smart_migrate
* Update InitialAutoRunScript for winrm_script_exec
2016-01-12 23:14:13 -06:00
7128c408c8
Land #6375 , Active Directory Managed Groups Enumeration
2016-01-12 11:21:31 +00:00
4ba2d56f49
Just search on DN for samaccountname
2016-01-12 11:20:20 +00:00
5e6620f2cf
add yard doc and lexical sorting
...
lexical sort methods and add missing YARD docs
2016-01-08 14:36:21 -06:00
536378e023
move datastore kill check to kill method
...
move the datastore check for datatstore['KILL']
into the actual kill method for sake of DRYness
2016-01-08 14:31:42 -06:00
9716b97e1c
split up the migration efforts
...
move admin and suer migrations into
seperate methods for enhanced readability
and maintainability
2016-01-08 14:26:39 -06:00
ad50f9a047
move default targets to constants
...
cleanup the way the target lists get populated
to use constants and be a little cleaner and dryer
2016-01-08 14:03:30 -06:00
4e99c873c8
Fix issue when target_pid == current_pid
2016-01-06 19:58:07 -06:00
60c506d7fb
Replace error handling methods
2016-01-06 18:53:54 -06:00
30a866a85b
Update enable_rdp.rb
...
Fixed some typos.
2016-01-04 09:52:57 +00:00
47f9880690
Land #6395 , grammar fixes for recovery_files.rb
...
Improves grammar and details within the description of /post/windows/gather/forensics/recovery_files.rb
2015-12-28 15:57:41 -06:00
p3nt4
Brendan
Brent Cook
OJ
David Maloney
drforbin
Brent Cook
RageLtMan
wchen-r7
scriptjunkie
Agora Security
William Vu
Louis Sato
Pearce Barry
Robert Kugler
Josh Hale
ktreimann
Stephen Deck
Meatballs
Vincent Yiu
Crypt0-M3lon
join-us
Hans-Martin Münch (h0ng10)
James Lee
Christian Mehlmauer
nk
Kyle Gray