Harvey Phillips
4278339869
Added multi-file support for torrc and use locate instead of find when searching
2017-06-07 20:08:23 +01:00
Harvey Phillips
71fde14b6c
Linux post module to grab TOR hidden service hostnames and private keys
2017-06-06 22:29:14 +01:00
Harvey Phillips
f557aa3c9c
Linux post module to search for and grab TOR hidden service configurations
2017-06-06 21:59:02 +01:00
David Maloney
42aa2e5acf
add some attempts at debugging to ntds
...
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
Borja Merino
7077ac0523
Meterpreter Post-exploitation module to mount vmdk files
2017-05-25 11:47:04 +02:00
bwatters-r7
461649ed34
Land #8378 , Add check in archmigrate to prevent privdesc
2017-05-23 14:37:29 -05:00
Carter
c73e7673b1
Please the rubocop god
2017-05-23 15:13:55 -04:00
Carter
e945773576
Update archmigrate.rb
2017-05-23 14:40:42 -04:00
James Lee
b78749bc1b
Land #8221 , move autoroute
2017-05-17 15:17:45 -05:00
Carter
5ee570bb9c
Fix non-uniform spelling and capitalization
2017-05-15 08:31:01 -04:00
Carter
ce7b967a13
Update archmigrate.rb
2017-05-13 13:35:48 -04:00
Carter
78b0fb00da
I committed to the wrong branch
2017-05-13 13:35:13 -04:00
Carter
0bd11062e4
Ass SYSTEM check to archmigrate
2017-05-13 13:28:28 -04:00
Brent Cook
7bcaaf33c7
Land #8294 , gnome keyring post exploit credential dumper
2017-05-12 10:08:53 -05:00
Brent Cook
e9fcc3c291
msftidy fixes
2017-05-12 10:08:26 -05:00
h00die
af4505a9de
land #8009 post module for jboss creds gather
2017-05-11 22:39:54 -04:00
h00die
285857c23f
remove req msfcore
2017-05-11 22:39:41 -04:00
h00die
6fa51aee8f
moving docs to correct folder
2017-05-11 22:33:00 -04:00
Josh Hale
843f148e62
One more yard doc function
2017-05-10 23:01:03 -05:00
Josh Hale
e84765c1c6
All functions have yard doc like comments
2017-05-10 23:01:03 -05:00
Josh Hale
c5391c2a64
Update cmd print to match core.rb
2017-05-10 23:01:03 -05:00
Josh Hale
10c7c3893a
Add subnet check for Android payloads
2017-05-10 23:01:03 -05:00
Josh Hale
c49bd9ee4e
Add session ready check
2017-05-10 23:01:03 -05:00
Josh Hale
97eaa83114
Update delete all routes
2017-05-10 23:01:03 -05:00
Josh Hale
f670fcddcb
Initial code cleanup and multi compatibility work
2017-05-10 23:01:02 -05:00
Brent Cook
099fc0176a
move autoroute to a more sensible location
2017-05-10 23:01:02 -05:00
Pearce Barry
af3f1fbc37
Land #8332 , Canprobe Module
2017-05-07 12:20:27 -05:00
Pearce Barry
c05e7b3b58
Minor corrections and a tweak to appease msftidy.
2017-05-07 11:55:20 -05:00
Pearce Barry
e3d3fa8e45
Tweak internal description formatting.
2017-05-07 11:31:36 -05:00
Pearce Barry
b965bdcdae
Appease msftidy and Travis.
2017-05-07 11:19:32 -05:00
darkbushido
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
William Vu
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
Craig Smith
9877aa9ef9
Added documentation and cleand up how STOPID worked
2017-05-02 18:57:32 -07:00
Craig Smith
3519adbaef
A basic CAN fuzzer. It probes the data regions of different CAN IDs.
...
The default is to use a set value but can iterate the full range. It can
also add padding if necessary. Not checks on returns or results of fuzzing.
2017-05-02 14:19:29 -07:00
Spencer McIntyre
da6c03d13f
Fix function names to always be snake_case
2017-04-26 09:30:29 -04:00
wchen-r7
c573628e10
Fix header
2017-04-24 17:01:35 -05:00
Spencer McIntyre
ffe6d35b4d
Add a module to dump network passwords from gnome
2017-04-21 16:17:18 -04:00
Koen Riepe
55ab800f13
Minor code fixes.
2017-04-19 14:41:11 +02:00
James Lee
84dd5cd01a
Add a simple upload exec module
2017-04-17 19:34:21 -05:00
William Webb
48560d29f3
remove keyscan_extract and modify calling modules
2017-04-13 10:42:28 -05:00
Koen Riepe
9f289bdf52
Fixed error messages and some syntax.
2017-04-12 13:48:11 +02:00
William Vu
288e384164
Land #8189 , irssi password post gather module
2017-04-10 23:34:54 -05:00
Jonathan Claudius
96927b449c
Rework module to grab entire irssi configs
2017-04-11 00:02:40 -04:00
Jonathan Claudius
6a1531da34
Fix loot name attributes
2017-04-10 23:52:31 -04:00
Jonathan Claudius
d92f94e077
Fix grammar issue
2017-04-10 23:44:18 -04:00
Jonathan Claudius
d9e96a8b4f
Consolidate loot into single file
2017-04-10 23:42:50 -04:00
Jonathan Claudius
7f6bbb6ff2
Fix trailing space issue
2017-04-10 21:38:30 -04:00
Jonathan Claudius
9432a3543f
Extend irssi post mod to grab network passwords
2017-04-10 15:35:26 -04:00
Jonathan Claudius
47d74819a5
Update regex per reviewer request
2017-04-10 14:45:10 -04:00
Jonathan Claudius
d816092c56
Fix missing new line
2017-04-10 14:41:25 -04:00
bwatters-r7
dd5a91f153
Land #8008 , Added archmigrate module for windows sessions
2017-04-05 08:55:27 -05:00
Koen Riepe
08b2a97293
Changed styling to be more in line with rubocop.
2017-04-05 10:05:56 +02:00
Jonathan Claudius
b8af7c1db0
Add irssi password post gather module
2017-04-05 00:56:24 -04:00
h00die
823c1a6286
added more verifieds
2017-03-31 16:52:20 -04:00
h00die
23ac9214ea
land #8010 post gather module for tomcat creds
2017-03-31 16:15:55 -04:00
h00die
34a152dc76
handle no sysinfo from ssh_login
2017-03-31 16:15:16 -04:00
Koen Riepe
22b2215d2e
Fixed a typo causing bot to fail.
2017-03-31 16:40:21 +02:00
Koen Riepe
3a674b731c
Added error handling, added documentation and fixed some style issues.
2017-03-31 16:35:25 +02:00
Koen Riepe
628827cda9
Added some documentation and gracefull error handeling.
2017-03-31 12:45:30 +02:00
Koen Riepe
df2a9a4af3
Added documentation file and implemented fixes for output and linux parsing.
2017-03-31 11:19:12 +02:00
Pearce Barry
ac83ff7e48
Land #8155 , Style fixes for HWBridge RF and a couple small bug fixes
2017-03-29 20:37:13 -05:00
bwatters-r7
691811af5a
Land #7994 , Add Windows Gather DynaZIP Saved Password Extraction post module
2017-03-29 16:04:09 -05:00
Pearce Barry
31c03840bb
Style fixes for HWBridge RF and a couple small bug fixes
...
I should have tweaked these earlier, my bad.
2017-03-26 13:45:19 -05:00
bwatters-r7
be41df6de0
Land #8036 , Fix run_as_psh with domain accounts
2017-03-21 09:05:50 -05:00
Pearce Barry
c4279a837a
Minor formatting/spelling/verbiage changes.
2017-03-20 17:37:12 -05:00
Craig Smith
2fde287424
Initial patch for rftransceiver (RfCat / YardstickOne)
2017-03-20 17:36:16 -05:00
Pearce Barry
2acd941b16
Merge branch 'master' into dtc_fix
2017-03-20 14:10:01 -05:00
Craig Smith
0be6b8c905
Fixes #8022
...
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-03-20 13:49:39 -05:00
Pearce Barry
06ebb22a8f
Land #8065 , Zigbee Hardware Bridge Extension
2017-03-20 10:44:15 -05:00
William Vu
f9ecefe465
Land #8031 , nil fixes for HWBridge
2017-03-19 22:37:28 -05:00
Brent Cook
e2c6f959f4
Land #8129 , s/colom/colon/g
2017-03-19 22:14:38 -05:00
Carter
ae883d7f02
Update multi_meterpreter_inject.rb
2017-03-19 00:27:28 -04:00
Carter
661bf6e492
Update multi_meterpreter_inject.rb
2017-03-19 00:27:03 -04:00
Carter
93a6614ab3
Update multi_meterpreter_inject.rb
2017-03-19 00:25:46 -04:00
Pearce Barry
d55b680394
Land #8088 , Add some binaries to enum_protections
2017-03-17 17:14:59 -05:00
William Webb
1180bd6ed7
Land #8037 , priv_migrate improvements
2017-03-17 13:19:51 -05:00
Pearce Barry
095a110e65
Code and doc tweaks (minor).
...
Only one behavior change in the scan loop of zstumbler.rb to, when doing a scan across all the channels, keep it from retrying channel 11 again one last time just before it exits.
2017-03-16 21:43:36 -05:00
Craig Smith
78586f0dc9
Fixed an extra space at the EOL
2017-03-16 09:22:01 -07:00
William Vu
456ddcebc0
Remove nil values that are default already
...
There are four lights!
2017-03-15 15:51:22 -05:00
Rich Whitcroft
04f11b0bf7
fix migrate by process name
2017-03-14 17:27:46 -04:00
jvoisin
84b9449137
Add some binaries to enum_protections
...
- gradm2 for grsec
- aa-status for apparmor
- getenforce for setlinux
2017-03-10 14:16:58 +01:00
Craig Smith
f60dae0917
Lots of syntax fixups from rubocop
2017-03-08 09:21:33 -08:00
Koen Riepe
c8215e609a
pushing fixes again, something failed.
2017-03-08 10:16:06 +01:00
Koen Riepe
2546263d50
Improved error handling and general fixes
2017-03-08 10:11:05 +01:00
Craig Smith
4e9b8946d8
Fixed some small msftidy issues
2017-03-06 22:47:37 -08:00
Craig Smith
60cd04bc7b
Added module for zstumbler
2017-03-06 16:10:14 -08:00
Louis
759b67c565
Fix ru_as_psh with domain accounts
...
The current versions has too many escape backslashes, as a result, running run_as_psh for domain users does not work.
Also added support for DOMAIN\\User format in the USER parameter.
2017-03-01 13:38:15 +11:00
Craig Smith
d4e5cb7993
Fixes #8022
...
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-02-27 21:09:57 -08:00
Josh Hale
def5088097
Change NOFAIL default to false
2017-02-27 20:37:58 -06:00
Josh Hale
2f5dd38957
Update Admin target list and module description
2017-02-27 20:19:59 -06:00
Josh Hale
3333019e5f
Check if current admin proc is in target list
2017-02-27 18:55:25 -06:00
Josh Hale
717879f3df
Downcase targets and current proc name
2017-02-27 18:28:46 -06:00
Josh Hale
8e8e7244f4
Add exit language
2017-02-27 18:07:15 -06:00
Josh Hale
e1d76b8ff6
Add more error handling
2017-02-27 17:06:16 -06:00
Josh Hale
ffb54a13fe
Add NOFAIL datastore option
2017-02-27 12:41:18 -06:00
Koen Riepe
df7932bb1b
Added more error handling
2017-02-27 13:30:42 +01:00
Koen Riepe
264cfc9bd4
Added OPTIONS to the module
2017-02-27 13:24:31 +01:00
Josh Hale
81efe096aa
Update Author Handle
2017-02-26 21:01:19 -06:00
Pearce Barry
37066acc03
Try harder to get user id, correctly handle dirs with spaces.
...
Fixes #7817 .
2017-02-25 20:32:53 -06:00
Koen Riepe
b2ad8938ff
Added tomcat_gather modules to Metasploit.
2017-02-24 15:15:55 +01:00
Koen Riepe
4be426df4d
Added jboss_gather module.
2017-02-24 11:18:01 +01:00
Koen Riepe
45b1f796e4
Added archmigrate module to metasploit.
2017-02-24 10:29:19 +01:00
Brendan Coles
0b34efab43
Add documentation
2017-02-23 06:59:05 +00:00
Brendan Coles
dc30dd70da
Add Windows Gather DynaZIP Saved Password Extraction post module
2017-02-22 22:20:19 +00:00
Craig Smith
8f1856c5d1
Fixed a bug with DTC decoding.
...
DTC Codes now print the English error messages next to their code with getvinfo
Frozen DTCs can also be fetched via get_frozen_dtcs()
2017-02-15 16:26:23 -08:00
Tim
9e0cb9797b
python -c payload -> echo payload | python
2017-02-04 17:57:17 +08:00
Pearce Barry
23c2787d57
Land #7795 , Hardware Bridge API.
...
Initial bridge API that supports the HW rest protocol.
2017-02-02 08:47:59 -06:00
Pearce Barry
16de745437
Minor code cleanups/corrections.
2017-02-01 16:12:45 -06:00
Brent Cook
15a4ec629b
remove TRUE
2017-01-22 10:20:03 -06:00
Brent Cook
836da6177f
Cipher::Cipher is deprecated
2017-01-22 10:20:03 -06:00
Brent Cook
f69b4a330e
handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations
2017-01-22 10:20:03 -06:00
bwatters_r7
bcbb7b86d6
Changed encoding on jscript contents before uploading it
2017-01-13 16:19:58 -06:00
Craig Smith
8635925658
Fixed a typo about gathering realtime PIDs.
2017-01-10 13:20:04 -08:00
Brent Cook
cdcf4cce7d
improve zip module windows script fallback
...
- handle non-English locales
- wait more reliably, handle network paths where FS info gets stale
- use absolute paths correctly
2017-01-07 12:27:03 -06:00
Craig Smith
5f07bca775
Hardware Bridge API. Initial bridge API that supports the HW rest protocol specified here:
...
http://opengarages.org/hwbridge Supports an automotive extension with UDS calls for mdoule
development.
2017-01-06 19:51:41 -08:00
Brent Cook
fae4751771
Land #7744 , update kiwi extension to Mimikatz 2.1
2016-12-29 16:22:45 -06:00
OJ
18e69b85af
Update the golden ticket module to work with new kiwi
2016-12-23 10:30:06 +10:00
bwatters_r7
e646a8d5c2
Please the rubocop gods (unless they are dumb)
2016-12-21 16:13:53 -08:00
p3nt4
13ccfd7bb3
Update run_as_psh.rb
2016-12-21 09:44:57 +11:00
p3nt4
a9b78e37d2
Update typos
2016-12-21 09:43:18 +11:00
p3nt4
cc99aaafc6
Corrected as per reviews
2016-12-21 09:42:26 +11:00
p3nt4
b9fd1db5fa
Add module to runas ysing powershell
2016-12-20 14:38:19 +11:00
Brendan
9b678c2bdd
Land #7685 , Add mosule to change user passwords by editing SAM registry
2016-12-16 13:11:40 -06:00
Brent Cook
52346c3fa8
fix renamed rex text
2016-12-15 15:31:00 -06:00
p3nt4
deec6eccdf
Update hashcarve.rb
2016-12-12 17:09:04 +11:00
p3nt4
3e80ee1d6a
Better Error Handling
2016-12-12 17:07:47 +11:00
p3nt4
7b4dce5e7e
One left!
2016-12-09 16:27:40 +11:00
p3nt4
74c48f5fa4
I'll get there!
2016-12-09 16:24:49 +11:00
p3nt4
c898e768f6
Struggling with tidyness
2016-12-09 16:00:32 +11:00
p3nt4
586b2d92e2
Corrected status prints
2016-12-09 15:45:30 +11:00
p3nt4
fb360e69c0
Initial Commit
...
This module "carves" a hash in the registries to set it as a user password.
The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change a user's password and revert it without cracking its hash.
I have tested it in Windows 7, and 8.1. Should work on every version though.
Usage:
run post/windows/manage/hashcarve user=test pass=<password>
run post/windows/manage/hashcarve user=test pass=<nthash>
run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>
This work is based on the hashdump implementation.
2016-12-09 15:41:01 +11:00
Javier Godinez
0d41160b03
Sanity checks, errors out with nil ptr if API call fails
2016-12-08 16:14:10 -08:00
Javier Godinez
a17d1a7e19
Added options for setting the PASSWORD and GROUPNAME
2016-12-08 16:13:31 -08:00
Jon Hart
4614b7023d
Land #7604 , @godinezj's post module for creating AWS IAM accounts
2016-12-08 14:26:22 -08:00
Jon Hart
aa29fcad80
Update docs and pretty print the loot
2016-12-08 14:25:07 -08:00
Jon Hart
70668c289f
Use better loot args
2016-12-08 13:14:36 -08:00
Jon Hart
162204b338
Support creating a password for the user, etc
2016-12-08 12:56:00 -08:00
Javier Godinez
a9cb08a352
Token should be passed as nil if not set
2016-12-07 10:16:41 -08:00
Jon Hart
1c3f0437ed
Move some options back to non-advanced
2016-12-06 17:39:37 -08:00
Jon Hart
a13382c80b
Address most of rubocop's nits
2016-12-06 17:10:34 -08:00
Jon Hart
8f21a1f68c
move most options to advance, since they never change
...
Also, doc empty username
2016-12-06 16:29:00 -08:00
Javier Godinez
497e02955b
Fixed checking for access keys being retrieved
2016-11-29 11:08:55 -08:00
Javier Godinez
cb0313642b
Fixed setting IAM_USERNAME
2016-11-29 00:54:49 +00:00
Javier Godinez
46ce1dfaab
Now using random string as IAM_USERNAME unless specified
2016-11-28 16:32:53 -08:00
Javier Godinez
f8789fef38
Moved METADATA_IP to advanced options
2016-11-28 16:32:26 -08:00
William Vu
b6fe6c1d38
Fix #7597 , minor changes to enum_messages
2016-11-28 17:37:32 -06:00
Javier Godinez
b4add59a3d
Moved metadata_creds() so Client can be included in Aux/Post modules
2016-11-24 21:03:38 -08:00
root
dc64f63517
Removed useless comments
2016-11-24 01:33:20 +00:00
root
5284e20a52
Optimised SQL vars, removed unneeded requires and changed the "exec" function name
2016-11-24 01:27:03 +00:00
Javier Godinez
c48587066d
Added reference and minor fixes
2016-11-23 10:58:37 -08:00
Javier Godinez
43e1b5bdd1
Adds module to create an AWS IAM user from a pwned AWS host
2016-11-22 14:55:03 -08:00
root
ce514ed3e5
Fixed broken fail_with function call and whitespace on line ending
2016-11-22 03:04:12 +00:00
root
e0f8d622ec
Added metasploit module for access OSX messages database
2016-11-22 02:53:38 +00:00
Brent Cook
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
David Maloney
8e3888f20c
the template ref in this module was missed
...
when we cleaned up all the other powershell template refs
we missed the one in this module which seems to e replicating
large ammounts of library code
7533
2016-11-11 14:24:33 -06:00
dmohanty-r7
2b5517f597
Land #7506 , Add gather AWS keys post module
2016-11-11 13:56:12 -06:00
OJ
e5ea4a53d3
Fix typo in windows cred phish module
2016-11-04 13:26:10 +10:00
OJ
47ec362148
Small fixes for dbvis enum
2016-11-01 07:35:36 +10:00
OJ
ffb53b7ca3
Tidy arch check in meterpreter inject
2016-11-01 01:51:12 +10:00
OJ
557424d2ec
Small tidy of the multiport_egress_traffic module
2016-11-01 01:46:58 +10:00
OJ
ec8536f7e9
Fix firefox module to use symbols where appopriate
2016-11-01 01:43:25 +10:00
OJ
b9bbb5e857
Replace regex use with direct string checks in dbvis module
2016-11-01 01:35:01 +10:00
Konrads Smelkovs
f754adad0c
Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE
2016-10-29 11:20:32 +01:00
OJ
640827c24b
Final pass of regex -> string checks
2016-10-29 14:59:05 +10:00
OJ
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
OJ
8b97183924
Update UUID to match detected platform, fail exploit on invalid session
2016-10-29 13:45:28 +10:00
OJ
0737d7ca12
Tidy code, remove regex and use comparison for platform checks
2016-10-29 13:41:20 +10:00
Jon Hart
8173e87756
Add references
2016-10-28 16:12:46 -07:00
Jon Hart
96c204d1ea
Add aws_keys docs; correct description
2016-10-28 15:27:47 -07:00
OJ
751742face
Fix typo in arch check for inject script
2016-10-29 08:25:23 +10:00
OJ
1ca2fe1398
More platform/arch/session fixes
2016-10-29 08:11:20 +10:00
Jon Hart
7dea613507
Initial commit of module for snagging AWS key material from shell/meterpreter sessions
2016-10-28 14:48:55 -07:00
OJ
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
David Maloney
6a31dad678
clean up some style guide issues with rubocop
...
applied rubocop to the module for some
tidying up
2016-10-25 11:24:32 -05:00
drforbin
94979f4541
changed formatting for else statements
2016-10-25 09:42:00 -05:00
drforbin
6f3c20069b
fixed formatting errors for travis
2016-10-25 09:42:00 -05:00
drforbin
0ec153eb9c
changed formatting, changed to OptPath. cleaned unneeded code
2016-10-25 09:41:59 -05:00
drforbin
3b9a441382
cleaned up write_target, and variables REXE
2016-10-25 09:41:59 -05:00
drforbin
c3ada74728
changed formatting to comform with travis
2016-10-25 09:41:59 -05:00
drforbin
0395d57512
formatting changes and design changes. tested
2016-10-25 09:41:58 -05:00
drforbin
337e3b6cce
added persistence_exe.rb to windows post modules
2016-10-25 09:41:58 -05:00
David Maloney
6b77f509ba
fixes bad file refs for cmdstagers
...
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced
Fixes #7466
2016-10-21 12:31:18 -05:00
OJ
022830634b
Rejig platform to use windows instead of win32/win64
2016-10-14 10:10:04 +10:00
Brent Cook
b77a910205
Land #7355 , allwinner post to local exploit conversion
2016-10-08 21:38:54 -05:00
Brent Cook
bd24e7eba0
more cleanups and print output on auto-run
2016-10-08 21:14:26 -05:00
Brent Cook
5284db6b58
module cleanup
2016-10-08 20:17:29 -05:00
Brent Cook
199bf8e726
cleanups and update to require 4.0 CLR by default
2016-10-08 15:24:13 -05:00
RageLtMan
44c5fc3250
Sync build_net_code post module upstream
...
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.
Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
wchen-r7
0e57808914
Update to class name MetasploitModule
2016-10-08 14:06:35 -05:00
RageLtMan
36b989e6d7
Initial import of .NET compiler and persistence
...
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
Jon Hart
b3c6ec09a0
Show status when gathering, which can take a bit
2016-09-30 06:42:22 -07:00
Jon Hart
abed3bf6c2
Rename
2016-09-30 06:35:26 -07:00
Jon Hart
9ee6e1931a
target_uri simplification, cleanup
2016-09-30 06:24:50 -07:00
Jon Hart
60cfe6216a
mstfidy
2016-09-29 22:00:35 -07:00
Jon Hart
558adb5e1e
Uncork module and address style issues
2016-09-29 21:59:19 -07:00
Jon Hart
b2e06bed66
Initial commit of post module to gather AWS EC2 instance metadata
2016-09-29 21:52:22 -07:00
jvoisin
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
Henry Pitcairn
e5c05c05d2
Make OSX screencapture silent
...
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
2016-09-25 22:54:57 -04:00
h00die
cba297644e
post to local conversion
2016-09-22 22:08:24 -04:00
Brent Cook
60e728ec5c
Land #7065 , Correct display errors for SHA-512 hashes with MS SQL Server 2012
2016-09-15 18:06:02 -05:00