Commit Graph

3238 Commits (cf33f482a1fae6fff98978be21326beeccd7fd57)

Author SHA1 Message Date
Harvey Phillips 4278339869
Added multi-file support for torrc and use locate instead of find when searching 2017-06-07 20:08:23 +01:00
Harvey Phillips 71fde14b6c Linux post module to grab TOR hidden service hostnames and private keys 2017-06-06 22:29:14 +01:00
Harvey Phillips f557aa3c9c
Linux post module to search for and grab TOR hidden service configurations 2017-06-06 21:59:02 +01:00
David Maloney 42aa2e5acf
add some attempts at debugging to ntds
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
Borja Merino 7077ac0523 Meterpreter Post-exploitation module to mount vmdk files 2017-05-25 11:47:04 +02:00
bwatters-r7 461649ed34
Land #8378, Add check in archmigrate to prevent privdesc 2017-05-23 14:37:29 -05:00
Carter c73e7673b1 Please the rubocop god 2017-05-23 15:13:55 -04:00
Carter e945773576 Update archmigrate.rb 2017-05-23 14:40:42 -04:00
James Lee b78749bc1b
Land #8221, move autoroute 2017-05-17 15:17:45 -05:00
Carter 5ee570bb9c Fix non-uniform spelling and capitalization 2017-05-15 08:31:01 -04:00
Carter ce7b967a13 Update archmigrate.rb 2017-05-13 13:35:48 -04:00
Carter 78b0fb00da I committed to the wrong branch 2017-05-13 13:35:13 -04:00
Carter 0bd11062e4 Ass SYSTEM check to archmigrate 2017-05-13 13:28:28 -04:00
Brent Cook 7bcaaf33c7
Land #8294, gnome keyring post exploit credential dumper 2017-05-12 10:08:53 -05:00
Brent Cook e9fcc3c291 msftidy fixes 2017-05-12 10:08:26 -05:00
h00die af4505a9de
land #8009 post module for jboss creds gather 2017-05-11 22:39:54 -04:00
h00die 285857c23f remove req msfcore 2017-05-11 22:39:41 -04:00
h00die 6fa51aee8f moving docs to correct folder 2017-05-11 22:33:00 -04:00
Josh Hale 843f148e62 One more yard doc function 2017-05-10 23:01:03 -05:00
Josh Hale e84765c1c6 All functions have yard doc like comments 2017-05-10 23:01:03 -05:00
Josh Hale c5391c2a64 Update cmd print to match core.rb 2017-05-10 23:01:03 -05:00
Josh Hale 10c7c3893a Add subnet check for Android payloads 2017-05-10 23:01:03 -05:00
Josh Hale c49bd9ee4e Add session ready check 2017-05-10 23:01:03 -05:00
Josh Hale 97eaa83114 Update delete all routes 2017-05-10 23:01:03 -05:00
Josh Hale f670fcddcb Initial code cleanup and multi compatibility work 2017-05-10 23:01:02 -05:00
Brent Cook 099fc0176a move autoroute to a more sensible location 2017-05-10 23:01:02 -05:00
Pearce Barry af3f1fbc37
Land #8332, Canprobe Module 2017-05-07 12:20:27 -05:00
Pearce Barry c05e7b3b58
Minor corrections and a tweak to appease msftidy. 2017-05-07 11:55:20 -05:00
Pearce Barry e3d3fa8e45
Tweak internal description formatting. 2017-05-07 11:31:36 -05:00
Pearce Barry b965bdcdae
Appease msftidy and Travis. 2017-05-07 11:19:32 -05:00
darkbushido 81bcf2ca70 updating all LHOST to use the new opt type 2017-05-04 12:57:50 -05:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
Craig Smith 9877aa9ef9 Added documentation and cleand up how STOPID worked 2017-05-02 18:57:32 -07:00
Craig Smith 3519adbaef A basic CAN fuzzer. It probes the data regions of different CAN IDs.
The default is to use a set value but can iterate the full range.  It can
also add padding if necessary.  Not checks on returns or results of fuzzing.
2017-05-02 14:19:29 -07:00
Spencer McIntyre da6c03d13f Fix function names to always be snake_case 2017-04-26 09:30:29 -04:00
wchen-r7 c573628e10 Fix header 2017-04-24 17:01:35 -05:00
Spencer McIntyre ffe6d35b4d Add a module to dump network passwords from gnome 2017-04-21 16:17:18 -04:00
Koen Riepe 55ab800f13
Minor code fixes. 2017-04-19 14:41:11 +02:00
James Lee 84dd5cd01a
Add a simple upload exec module 2017-04-17 19:34:21 -05:00
William Webb 48560d29f3
remove keyscan_extract and modify calling modules 2017-04-13 10:42:28 -05:00
Koen Riepe 9f289bdf52
Fixed error messages and some syntax. 2017-04-12 13:48:11 +02:00
William Vu 288e384164
Land #8189, irssi password post gather module 2017-04-10 23:34:54 -05:00
Jonathan Claudius 96927b449c
Rework module to grab entire irssi configs 2017-04-11 00:02:40 -04:00
Jonathan Claudius 6a1531da34
Fix loot name attributes 2017-04-10 23:52:31 -04:00
Jonathan Claudius d92f94e077
Fix grammar issue 2017-04-10 23:44:18 -04:00
Jonathan Claudius d9e96a8b4f
Consolidate loot into single file 2017-04-10 23:42:50 -04:00
Jonathan Claudius 7f6bbb6ff2
Fix trailing space issue 2017-04-10 21:38:30 -04:00
Jonathan Claudius 9432a3543f
Extend irssi post mod to grab network passwords 2017-04-10 15:35:26 -04:00
Jonathan Claudius 47d74819a5
Update regex per reviewer request 2017-04-10 14:45:10 -04:00
Jonathan Claudius d816092c56
Fix missing new line 2017-04-10 14:41:25 -04:00
bwatters-r7 dd5a91f153
Land #8008, Added archmigrate module for windows sessions 2017-04-05 08:55:27 -05:00
Koen Riepe 08b2a97293
Changed styling to be more in line with rubocop. 2017-04-05 10:05:56 +02:00
Jonathan Claudius b8af7c1db0
Add irssi password post gather module 2017-04-05 00:56:24 -04:00
h00die 823c1a6286 added more verifieds 2017-03-31 16:52:20 -04:00
h00die 23ac9214ea
land #8010 post gather module for tomcat creds 2017-03-31 16:15:55 -04:00
h00die 34a152dc76 handle no sysinfo from ssh_login 2017-03-31 16:15:16 -04:00
Koen Riepe 22b2215d2e
Fixed a typo causing bot to fail. 2017-03-31 16:40:21 +02:00
Koen Riepe 3a674b731c
Added error handling, added documentation and fixed some style issues. 2017-03-31 16:35:25 +02:00
Koen Riepe 628827cda9
Added some documentation and gracefull error handeling. 2017-03-31 12:45:30 +02:00
Koen Riepe df2a9a4af3
Added documentation file and implemented fixes for output and linux parsing. 2017-03-31 11:19:12 +02:00
Pearce Barry ac83ff7e48
Land #8155, Style fixes for HWBridge RF and a couple small bug fixes 2017-03-29 20:37:13 -05:00
bwatters-r7 691811af5a
Land #7994, Add Windows Gather DynaZIP Saved Password Extraction post module 2017-03-29 16:04:09 -05:00
Pearce Barry 31c03840bb
Style fixes for HWBridge RF and a couple small bug fixes
I should have tweaked these earlier, my bad.
2017-03-26 13:45:19 -05:00
bwatters-r7 be41df6de0
Land #8036, Fix run_as_psh with domain accounts 2017-03-21 09:05:50 -05:00
Pearce Barry c4279a837a Minor formatting/spelling/verbiage changes. 2017-03-20 17:37:12 -05:00
Craig Smith 2fde287424 Initial patch for rftransceiver (RfCat / YardstickOne) 2017-03-20 17:36:16 -05:00
Pearce Barry 2acd941b16 Merge branch 'master' into dtc_fix 2017-03-20 14:10:01 -05:00
Craig Smith 0be6b8c905 Fixes #8022
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-03-20 13:49:39 -05:00
Pearce Barry 06ebb22a8f
Land #8065, Zigbee Hardware Bridge Extension 2017-03-20 10:44:15 -05:00
William Vu f9ecefe465
Land #8031, nil fixes for HWBridge 2017-03-19 22:37:28 -05:00
Brent Cook e2c6f959f4
Land #8129, s/colom/colon/g 2017-03-19 22:14:38 -05:00
Carter ae883d7f02 Update multi_meterpreter_inject.rb 2017-03-19 00:27:28 -04:00
Carter 661bf6e492 Update multi_meterpreter_inject.rb 2017-03-19 00:27:03 -04:00
Carter 93a6614ab3 Update multi_meterpreter_inject.rb 2017-03-19 00:25:46 -04:00
Pearce Barry d55b680394
Land #8088, Add some binaries to enum_protections 2017-03-17 17:14:59 -05:00
William Webb 1180bd6ed7
Land #8037, priv_migrate improvements 2017-03-17 13:19:51 -05:00
Pearce Barry 095a110e65
Code and doc tweaks (minor).
Only one behavior change in the scan loop of zstumbler.rb to, when doing a scan across all the channels, keep it from retrying channel 11 again one last time just before it exits.
2017-03-16 21:43:36 -05:00
Craig Smith 78586f0dc9 Fixed an extra space at the EOL 2017-03-16 09:22:01 -07:00
William Vu 456ddcebc0 Remove nil values that are default already
There are four lights!
2017-03-15 15:51:22 -05:00
Rich Whitcroft 04f11b0bf7 fix migrate by process name 2017-03-14 17:27:46 -04:00
jvoisin 84b9449137 Add some binaries to enum_protections
- gradm2 for grsec
- aa-status for apparmor
- getenforce for setlinux
2017-03-10 14:16:58 +01:00
Craig Smith f60dae0917 Lots of syntax fixups from rubocop 2017-03-08 09:21:33 -08:00
Koen Riepe c8215e609a
pushing fixes again, something failed. 2017-03-08 10:16:06 +01:00
Koen Riepe 2546263d50
Improved error handling and general fixes 2017-03-08 10:11:05 +01:00
Craig Smith 4e9b8946d8 Fixed some small msftidy issues 2017-03-06 22:47:37 -08:00
Craig Smith 60cd04bc7b Added module for zstumbler 2017-03-06 16:10:14 -08:00
Louis 759b67c565 Fix ru_as_psh with domain accounts
The current versions has too many escape backslashes, as a result, running run_as_psh for domain users does not work.
Also added support for DOMAIN\\User format in the USER parameter.
2017-03-01 13:38:15 +11:00
Craig Smith d4e5cb7993 Fixes #8022
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-02-27 21:09:57 -08:00
Josh Hale def5088097 Change NOFAIL default to false 2017-02-27 20:37:58 -06:00
Josh Hale 2f5dd38957 Update Admin target list and module description 2017-02-27 20:19:59 -06:00
Josh Hale 3333019e5f Check if current admin proc is in target list 2017-02-27 18:55:25 -06:00
Josh Hale 717879f3df Downcase targets and current proc name 2017-02-27 18:28:46 -06:00
Josh Hale 8e8e7244f4 Add exit language 2017-02-27 18:07:15 -06:00
Josh Hale e1d76b8ff6 Add more error handling 2017-02-27 17:06:16 -06:00
Josh Hale ffb54a13fe Add NOFAIL datastore option 2017-02-27 12:41:18 -06:00
Koen Riepe df7932bb1b
Added more error handling 2017-02-27 13:30:42 +01:00
Koen Riepe 264cfc9bd4
Added OPTIONS to the module 2017-02-27 13:24:31 +01:00
Josh Hale 81efe096aa Update Author Handle 2017-02-26 21:01:19 -06:00
Pearce Barry 37066acc03
Try harder to get user id, correctly handle dirs with spaces.
Fixes #7817.
2017-02-25 20:32:53 -06:00
Koen Riepe b2ad8938ff
Added tomcat_gather modules to Metasploit. 2017-02-24 15:15:55 +01:00
Koen Riepe 4be426df4d
Added jboss_gather module. 2017-02-24 11:18:01 +01:00
Koen Riepe 45b1f796e4
Added archmigrate module to metasploit. 2017-02-24 10:29:19 +01:00
Brendan Coles 0b34efab43 Add documentation 2017-02-23 06:59:05 +00:00
Brendan Coles dc30dd70da Add Windows Gather DynaZIP Saved Password Extraction post module 2017-02-22 22:20:19 +00:00
Craig Smith 8f1856c5d1 Fixed a bug with DTC decoding.
DTC Codes now print the English error messages next to their code with getvinfo
Frozen DTCs can also be fetched via get_frozen_dtcs()
2017-02-15 16:26:23 -08:00
Tim 9e0cb9797b
python -c payload -> echo payload | python 2017-02-04 17:57:17 +08:00
Pearce Barry 23c2787d57
Land #7795, Hardware Bridge API.
Initial bridge API that supports the HW rest protocol.
2017-02-02 08:47:59 -06:00
Pearce Barry 16de745437
Minor code cleanups/corrections. 2017-02-01 16:12:45 -06:00
Brent Cook 15a4ec629b remove TRUE 2017-01-22 10:20:03 -06:00
Brent Cook 836da6177f Cipher::Cipher is deprecated 2017-01-22 10:20:03 -06:00
Brent Cook f69b4a330e handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations 2017-01-22 10:20:03 -06:00
bwatters_r7 bcbb7b86d6 Changed encoding on jscript contents before uploading it 2017-01-13 16:19:58 -06:00
Craig Smith 8635925658 Fixed a typo about gathering realtime PIDs. 2017-01-10 13:20:04 -08:00
Brent Cook cdcf4cce7d improve zip module windows script fallback
- handle non-English locales
 - wait more reliably, handle network paths where FS info gets stale
 - use absolute paths correctly
2017-01-07 12:27:03 -06:00
Craig Smith 5f07bca775 Hardware Bridge API. Initial bridge API that supports the HW rest protocol specified here:
http://opengarages.org/hwbridge  Supports an automotive extension with UDS calls for mdoule
development.
2017-01-06 19:51:41 -08:00
Brent Cook fae4751771
Land #7744, update kiwi extension to Mimikatz 2.1 2016-12-29 16:22:45 -06:00
OJ 18e69b85af
Update the golden ticket module to work with new kiwi 2016-12-23 10:30:06 +10:00
bwatters_r7 e646a8d5c2 Please the rubocop gods (unless they are dumb) 2016-12-21 16:13:53 -08:00
p3nt4 13ccfd7bb3 Update run_as_psh.rb 2016-12-21 09:44:57 +11:00
p3nt4 a9b78e37d2 Update typos 2016-12-21 09:43:18 +11:00
p3nt4 cc99aaafc6 Corrected as per reviews 2016-12-21 09:42:26 +11:00
p3nt4 b9fd1db5fa Add module to runas ysing powershell 2016-12-20 14:38:19 +11:00
Brendan 9b678c2bdd
Land #7685, Add mosule to change user passwords by editing SAM registry 2016-12-16 13:11:40 -06:00
Brent Cook 52346c3fa8 fix renamed rex text 2016-12-15 15:31:00 -06:00
p3nt4 deec6eccdf Update hashcarve.rb 2016-12-12 17:09:04 +11:00
p3nt4 3e80ee1d6a Better Error Handling 2016-12-12 17:07:47 +11:00
p3nt4 7b4dce5e7e One left! 2016-12-09 16:27:40 +11:00
p3nt4 74c48f5fa4 I'll get there! 2016-12-09 16:24:49 +11:00
p3nt4 c898e768f6 Struggling with tidyness 2016-12-09 16:00:32 +11:00
p3nt4 586b2d92e2 Corrected status prints 2016-12-09 15:45:30 +11:00
p3nt4 fb360e69c0 Initial Commit
This module "carves" a hash in the registries to set it as a user password.

The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change  a user's password and revert it without cracking its hash.

I have tested it in Windows 7, and 8.1. Should work on every version though.

Usage:
 run post/windows/manage/hashcarve user=test pass=<password>
 run post/windows/manage/hashcarve user=test pass=<nthash>
 run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>

This work is based on the hashdump implementation.
2016-12-09 15:41:01 +11:00
Javier Godinez 0d41160b03 Sanity checks, errors out with nil ptr if API call fails 2016-12-08 16:14:10 -08:00
Javier Godinez a17d1a7e19 Added options for setting the PASSWORD and GROUPNAME 2016-12-08 16:13:31 -08:00
Jon Hart 4614b7023d
Land #7604, @godinezj's post module for creating AWS IAM accounts 2016-12-08 14:26:22 -08:00
Jon Hart aa29fcad80
Update docs and pretty print the loot 2016-12-08 14:25:07 -08:00
Jon Hart 70668c289f
Use better loot args 2016-12-08 13:14:36 -08:00
Jon Hart 162204b338
Support creating a password for the user, etc 2016-12-08 12:56:00 -08:00
Javier Godinez a9cb08a352 Token should be passed as nil if not set 2016-12-07 10:16:41 -08:00
Jon Hart 1c3f0437ed
Move some options back to non-advanced 2016-12-06 17:39:37 -08:00
Jon Hart a13382c80b
Address most of rubocop's nits 2016-12-06 17:10:34 -08:00
Jon Hart 8f21a1f68c
move most options to advance, since they never change
Also, doc empty username
2016-12-06 16:29:00 -08:00
Javier Godinez 497e02955b Fixed checking for access keys being retrieved 2016-11-29 11:08:55 -08:00
Javier Godinez cb0313642b Fixed setting IAM_USERNAME 2016-11-29 00:54:49 +00:00
Javier Godinez 46ce1dfaab Now using random string as IAM_USERNAME unless specified 2016-11-28 16:32:53 -08:00
Javier Godinez f8789fef38 Moved METADATA_IP to advanced options 2016-11-28 16:32:26 -08:00
William Vu b6fe6c1d38 Fix #7597, minor changes to enum_messages 2016-11-28 17:37:32 -06:00
Javier Godinez b4add59a3d Moved metadata_creds() so Client can be included in Aux/Post modules 2016-11-24 21:03:38 -08:00
root dc64f63517 Removed useless comments 2016-11-24 01:33:20 +00:00
root 5284e20a52 Optimised SQL vars, removed unneeded requires and changed the "exec" function name 2016-11-24 01:27:03 +00:00
Javier Godinez c48587066d Added reference and minor fixes 2016-11-23 10:58:37 -08:00
Javier Godinez 43e1b5bdd1 Adds module to create an AWS IAM user from a pwned AWS host 2016-11-22 14:55:03 -08:00
root ce514ed3e5 Fixed broken fail_with function call and whitespace on line ending 2016-11-22 03:04:12 +00:00
root e0f8d622ec Added metasploit module for access OSX messages database 2016-11-22 02:53:38 +00:00
Brent Cook f313389be4 Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch 2016-11-20 19:08:56 -06:00
David Maloney 8e3888f20c the template ref in this module was missed
when we cleaned up all the other powershell template refs
we missed the one in this module which seems to e replicating
large ammounts of library code

7533
2016-11-11 14:24:33 -06:00
dmohanty-r7 2b5517f597
Land #7506, Add gather AWS keys post module 2016-11-11 13:56:12 -06:00
OJ e5ea4a53d3
Fix typo in windows cred phish module 2016-11-04 13:26:10 +10:00
OJ 47ec362148
Small fixes for dbvis enum 2016-11-01 07:35:36 +10:00
OJ ffb53b7ca3
Tidy arch check in meterpreter inject 2016-11-01 01:51:12 +10:00
OJ 557424d2ec
Small tidy of the multiport_egress_traffic module 2016-11-01 01:46:58 +10:00
OJ ec8536f7e9
Fix firefox module to use symbols where appopriate 2016-11-01 01:43:25 +10:00
OJ b9bbb5e857
Replace regex use with direct string checks in dbvis module 2016-11-01 01:35:01 +10:00
Konrads Smelkovs f754adad0c Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE 2016-10-29 11:20:32 +01:00
OJ 640827c24b
Final pass of regex -> string checks 2016-10-29 14:59:05 +10:00
OJ 57eabda5dc
Merge upstream/master 2016-10-29 13:54:31 +10:00
OJ 8b97183924
Update UUID to match detected platform, fail exploit on invalid session 2016-10-29 13:45:28 +10:00
OJ 0737d7ca12
Tidy code, remove regex and use comparison for platform checks 2016-10-29 13:41:20 +10:00
Jon Hart 8173e87756
Add references 2016-10-28 16:12:46 -07:00
Jon Hart 96c204d1ea
Add aws_keys docs; correct description 2016-10-28 15:27:47 -07:00
OJ 751742face
Fix typo in arch check for inject script 2016-10-29 08:25:23 +10:00
OJ 1ca2fe1398
More platform/arch/session fixes 2016-10-29 08:11:20 +10:00
Jon Hart 7dea613507
Initial commit of module for snagging AWS key material from shell/meterpreter sessions 2016-10-28 14:48:55 -07:00
OJ 1d617ae389
Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
David Maloney 6a31dad678
clean up some style guide issues with rubocop
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
drforbin 94979f4541 changed formatting for else statements 2016-10-25 09:42:00 -05:00
drforbin 6f3c20069b fixed formatting errors for travis 2016-10-25 09:42:00 -05:00
drforbin 0ec153eb9c changed formatting, changed to OptPath. cleaned unneeded code 2016-10-25 09:41:59 -05:00
drforbin 3b9a441382 cleaned up write_target, and variables REXE 2016-10-25 09:41:59 -05:00
drforbin c3ada74728 changed formatting to comform with travis 2016-10-25 09:41:59 -05:00
drforbin 0395d57512 formatting changes and design changes. tested 2016-10-25 09:41:58 -05:00
drforbin 337e3b6cce added persistence_exe.rb to windows post modules 2016-10-25 09:41:58 -05:00
David Maloney 6b77f509ba
fixes bad file refs for cmdstagers
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced

Fixes #7466
2016-10-21 12:31:18 -05:00
OJ 022830634b
Rejig platform to use windows instead of win32/win64 2016-10-14 10:10:04 +10:00
Brent Cook b77a910205
Land #7355, allwinner post to local exploit conversion 2016-10-08 21:38:54 -05:00
Brent Cook bd24e7eba0 more cleanups and print output on auto-run 2016-10-08 21:14:26 -05:00
Brent Cook 5284db6b58 module cleanup 2016-10-08 20:17:29 -05:00
Brent Cook 199bf8e726 cleanups and update to require 4.0 CLR by default 2016-10-08 15:24:13 -05:00
RageLtMan 44c5fc3250 Sync build_net_code post module upstream
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.

Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
wchen-r7 0e57808914 Update to class name MetasploitModule 2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
Jon Hart b3c6ec09a0
Show status when gathering, which can take a bit 2016-09-30 06:42:22 -07:00
Jon Hart abed3bf6c2
Rename 2016-09-30 06:35:26 -07:00
Jon Hart 9ee6e1931a
target_uri simplification, cleanup 2016-09-30 06:24:50 -07:00
Jon Hart 60cfe6216a
mstfidy 2016-09-29 22:00:35 -07:00
Jon Hart 558adb5e1e
Uncork module and address style issues 2016-09-29 21:59:19 -07:00
Jon Hart b2e06bed66
Initial commit of post module to gather AWS EC2 instance metadata 2016-09-29 21:52:22 -07:00
jvoisin 2272e15ca2 Remove some anti-patterns, in the same spirit than #7372 2016-09-29 00:15:01 +02:00
Henry Pitcairn e5c05c05d2 Make OSX screencapture silent
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
2016-09-25 22:54:57 -04:00
h00die cba297644e post to local conversion 2016-09-22 22:08:24 -04:00
Brent Cook 60e728ec5c
Land #7065, Correct display errors for SHA-512 hashes with MS SQL Server 2012 2016-09-15 18:06:02 -05:00