2016-05-16 23:48:31 +00:00
|
|
|
import random
|
|
|
|
|
import string
|
|
|
|
|
import re
|
2016-06-04 07:13:38 +00:00
|
|
|
import cme
|
|
|
|
|
import os
|
2016-05-16 23:48:31 +00:00
|
|
|
from base64 import b64encode
|
|
|
|
|
from termcolor import colored
|
|
|
|
|
|
|
|
|
|
def gen_random_string(length=10):
|
|
|
|
|
return ''.join(random.sample(string.ascii_letters, int(length)))
|
|
|
|
|
|
|
|
|
|
def validate_ntlm(data):
|
|
|
|
|
allowed = re.compile("^[0-9a-f]{32}", re.IGNORECASE)
|
|
|
|
|
if allowed.match(data):
|
|
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
return False
|
|
|
|
|
|
2016-06-04 07:13:38 +00:00
|
|
|
def get_ps_script(path):
|
2016-06-17 07:34:38 +00:00
|
|
|
return os.path.join(os.path.dirname(cme.__file__), 'data', path)
|
2016-06-04 07:13:38 +00:00
|
|
|
|
|
|
|
|
def write_log(data, log_name):
|
|
|
|
|
logs_dir = os.path.join(os.path.expanduser('~/.cme'), 'logs')
|
|
|
|
|
with open(os.path.join(logs_dir, log_name), 'w') as mimikatz_output:
|
|
|
|
|
mimikatz_output.write(data)
|
|
|
|
|
|
2016-05-16 23:48:31 +00:00
|
|
|
def obfs_ps_script(script, function_name=None):
|
|
|
|
|
"""
|
|
|
|
|
Strip block comments, line comments, empty lines, verbose statements,
|
|
|
|
|
and debug statements from a PowerShell source file.
|
|
|
|
|
|
|
|
|
|
If the function_name paramater is passed, replace the main powershell function name with it
|
|
|
|
|
"""
|
|
|
|
|
if function_name:
|
|
|
|
|
function_line = script.split('\n', 1)[0]
|
|
|
|
|
if function_line.find('function') != -1:
|
|
|
|
|
script = re.sub('-.*', '-{}\r'.format(function_name), script, count=1)
|
|
|
|
|
|
|
|
|
|
# strip block comments
|
|
|
|
|
strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', script)
|
|
|
|
|
# strip blank lines, lines starting with #, and verbose/debug statements
|
|
|
|
|
strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
|
|
|
|
|
return strippedCode
|
|
|
|
|
|
|
|
|
|
def create_ps_command(ps_command, force_ps32=False):
|
|
|
|
|
ps_command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + ps_command
|
|
|
|
|
if force_ps32:
|
|
|
|
|
command = """$command = '{}'
|
|
|
|
|
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')
|
|
|
|
|
{{
|
|
|
|
|
|
|
|
|
|
$exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command
|
|
|
|
|
IEX $exec
|
|
|
|
|
}}
|
|
|
|
|
else
|
|
|
|
|
{{
|
|
|
|
|
$exec = [System.Convert]::FromBase64String($command)
|
|
|
|
|
$exec = [Text.Encoding]::Unicode.GetString($exec)
|
|
|
|
|
IEX $exec
|
|
|
|
|
|
|
|
|
|
}}""".format(b64encode(ps_command.encode('UTF-16LE')))
|
|
|
|
|
|
|
|
|
|
command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
|
|
|
|
|
|
|
|
|
|
elif not force_ps32:
|
|
|
|
|
command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))
|
|
|
|
|
|
|
|
|
|
return command
|
|
|
|
|
|
|
|
|
|
def highlight(text, color='yellow'):
|
|
|
|
|
if color == 'yellow':
|
|
|
|
|
return u'{}'.format(colored(text, 'yellow', attrs=['bold']))
|
|
|
|
|
elif color == 'red':
|
|
|
|
|
return u'{}'.format(colored(text, 'red', attrs=['bold']))
|
