private static void CallVCoverService_ReadData(WaitObject @object)
{
Task.Factory.StartNew((o) =>
{
WaitObject obj = (WaitObject)o;
m_WaitObjects[obj.Key] = obj;
List <FileInfo> files = (List <FileInfo>)obj.Value;
try
{
StringBuilder b = new StringBuilder();
b.Append(obj.Key);
b.Append(";");
foreach (FileInfo info in files)
{
b.Append(info.FullName);
b.Append(";");
}
NamedPipes.SendMessage("VCOVER", b.ToString());
}
catch (Exception ex)
{
obj.Err = ex;
}
}, @object);
}
public static void Inject()
{
if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe exist
{
MessageBox.Show("Already injected!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Asterisk); //if the pipe exist that's mean that we don't need to inject
return;
}
else if (!NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe don't exist
{
switch (Injector.DllInjector.GetInstance.Inject("RobloxPlayerBeta", AppDomain.CurrentDomain.BaseDirectory + "Axon.dll")) //Process name and dll directory
{
case Injector.DllInjectionResult.DllNotFound: //if can't find the dll
MessageBox.Show($"Could not find Axon DLL!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that dll was not found
return;
case Injector.DllInjectionResult.GameProcessNotFound: //if can't find the process
MessageBox.Show("Couldn't find RobloxPlayerBeta!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that proccess was not found
return;
case Injector.DllInjectionResult.InjectionFailed: //if injection fails(this don't work or only on special cases)
MessageBox.Show("Injection failed! Please try again later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that injection failed
return;
}
Thread.Sleep(3000);
if (!NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe dont exist
{
MessageBox.Show("Injection failed! Please try again later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display that the pipe was not found so the injection was unsuccessful
}
}
}
private void ExecuteButton_Click(object sender, EventArgs e)
{
if (NamedPipes.NamedPipeExist(NamedPipes.luapipename))
{
NamedPipes.LuaPipe(ScriptBox.Text);
}
else
{
MessageBox.Show("Inject " + Functions.exploitdllname + " before Using this!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation); return;
}
}
static void Main()
{
bool newInstance;
using (Mutex mutex = new Mutex(false, "VCover", out newInstance))
{
if (newInstance)
{
try
{
ThreadPool.SetMaxThreads(50, 100);
Thread.CurrentThread.CurrentCulture =
Thread.CurrentThread.CurrentUICulture = CultureInfo.GetCultureInfo("en-us");
StartUp.TryToAddAppSafe();
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(CurrentDomain_UnhandledException);
Application.ThreadException += new ThreadExceptionEventHandler(OnThreadException);
var ctn = new AppContext();
ctn.NewInFileEvent += new EventHandler <ValueEventArgs <Guid, string> >(NewCommandFileEvent);
ctn.Started += new EventHandler(ctn_Started);
StateSaver.Error += new ThreadExceptionEventHandler(OnThreadException);
AppContext.Default.Error += new ThreadExceptionEventHandler(OnThreadException);
StateSaver.Default.Path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "VCover.dat");
StateSaver.Default.Load();
TemplateMatcher.Path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "TemplateMatcher.dat");
TemplateMatcher.Load();
NamedPipes.ReceivedData += new ReceivedDataDelegate(NamedPipes_ReceivedData);
NamedPipes.Error += new ThreadExceptionEventHandler(OnThreadException);
NamedPipes.StartServer("VCOVER");
Application.Run(ctn);
}
finally
{
StateSaver.Default.Save();
TemplateMatcher.Save();
}
}
else
{
MessageBox.Show("An instance is already started.\r\nPlease close it first.",
Application.ProductName, MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
}
}
}
public static void Execute(string script = "print(\"Hello World!\")")
{
if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe exist
{
NamedPipes.LuaPipe(script); //lua pipe function to send the script
}
else
{
MessageBox.Show($"Inject Axon before using this!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);//if the pipe can't be found a messagebox will appear
return;
}
}
public void Run()
{
StateSaver.Default.Set(Strings.USE_VCOVER, true);
var prtReadData = ms_ReadDataDelegate.GetFunctionPointer();
StateSaver.Default.Set(Strings.VCOVER_FUNC, prtReadData);
NamedPipes.ReceivedData += new ReceivedDataDelegate(NamedPipes_ReceivedData);
NamedPipes.Error += new ThreadExceptionEventHandler(NamedPipes_Error);
NamedPipes.StartServer("VPRINT");
}
private void button2_Click(object sender, EventArgs e)
{
if (apis.api == "ZeusX")
{
FastColoredTextBox fastColoredTextBox1
=
this.tabControl1.SelectedTab.Controls.Find
("fastColoredTextBox1", true).FirstOrDefault <Control>()
as FastColoredTextBox;
object[] args = new string[0];
object obj = fastColoredTextBox1.Text;
string script = obj.ToString();
NamedPipes.LuaPipe(script);
}
if (apis.api == "Sirhurt")
{
FastColoredTextBox fastColoredTextBox1
=
this.tabControl1.SelectedTab.Controls.Find
("fastColoredTextBox1", true).FirstOrDefault <Control>()
as FastColoredTextBox;
object[] args = new string[0];
object obj = fastColoredTextBox1.Text;
string script = obj.ToString();
SirHurtAPI.SirHurtAPI.Execute(script, true);
}
if (apis.api == "Electron")
{
FastColoredTextBox fastColoredTextBox1
=
this.tabControl1.SelectedTab.Controls.Find
("fastColoredTextBox1", true).FirstOrDefault <Control>()
as FastColoredTextBox;
object[] args = new string[0];
object obj = fastColoredTextBox1.Text;
string script = obj.ToString();
Electron.NamedPipes.LuaPipe(script);
}
if (apis.api == "KRNL")
{
FastColoredTextBox fastColoredTextBox1
=
this.tabControl1.SelectedTab.Controls.Find
("fastColoredTextBox1", true).FirstOrDefault <Control>()
as FastColoredTextBox;
object[] args = new string[0];
object obj = fastColoredTextBox1.Text;
string script = obj.ToString();
MainAPI.Execute(script);
}
}
public void SaveResult(Guid id, params string[] fileList)
{
StringBuilder b = new StringBuilder();
b.Append(id.ToString());
b.Append(";");
foreach (var st in fileList)
{
b.Append(st);
b.Append(";");
}
NamedPipes.SendMessage("VPRINT", b.ToString());
}
private void Application_Startup(object sender, StartupEventArgs e)
{
if (ProcessFinder.IsProcessAlreadyRunning())
{
if (e.Args.Any() && // Check if args contain any data
e.Args[0].StartsWith("nxm", StringComparison.OrdinalIgnoreCase)) // Check to see if it contains correct data
{
NamedPipes.SendMessage(e.Args[0]);
}
// We only want one instance of Automaton running at one time
Environment.Exit(0);
}
}
public MainViewModel()
{
BrowseCommand = new RelayCommand(Browse);
ApplyCommand = new RelayCommand(Apply);
CancelCommand = new RelayCommand(Cancel);
SkipCommand = new RelayCommand((arg) => Continue());
SearchEngine.Initialize();
SearchEngine.SearchCompleted += (args) =>
{
Covers = args;
IsSearching = false;
};
NamedPipes.MessageReceived += NamedPipes_MessageReceived;
NamedPipes.StartServer();
}
private void pictureBox4_Click(object sender, EventArgs e)
{
if (checkBox4.Checked == true)
{
NamedPipes.LuaPipe(fastColoredTextBox2.Text);
}
if (checkBox3.Checked == true)
{
OxygenU_API.Execute(fastColoredTextBox2.Text);
}
if (checkBox2.Checked == true)
{
MainAPI.Execute(fastColoredTextBox2.Text);
}
if (checkBox1.Checked == true)
{
module.ExecuteScript(fastColoredTextBox2.Text);
}
}
private void pictureBox13_Click(object sender, EventArgs e)
{
MessageBox.Show("E to open gui", "Vietnam");
if (checkBox4.Checked == true)
{
NamedPipes.LuaPipe(fastColoredTextBox11.Text);
}
if (checkBox3.Checked == true)
{
OxygenU_API.Execute(fastColoredTextBox11.Text);
}
if (checkBox2.Checked == true)
{
MainAPI.Execute(fastColoredTextBox11.Text);
}
if (checkBox1.Checked == true)
{
module.ExecuteScript(fastColoredTextBox11.Text);
}
}
private void pictureBox6_Click(object sender, EventArgs e)
{
if (checkBox4.Checked == true)
{
MessageBox.Show("Please use the api Krnl", "XFORCE");
NamedPipes.LuaPipe(fastColoredTextBox5.Text);
}
if (checkBox3.Checked == true)
{
OxygenU_API.Execute(fastColoredTextBox5.Text);
}
if (checkBox2.Checked == true)
{
MainAPI.Execute(fastColoredTextBox5.Text);
}
if (checkBox1.Checked == true)
{
module.ExecuteScript(fastColoredTextBox5.Text);
}
}
private static void PrintNamedPipes()
{
Beaprint.MainPrint("Enumerating Named Pipes");
try
{
string formatString = " {0,-100} {1}\n";
Beaprint.NoColorPrint(string.Format($"{formatString}", "Name", "Sddl"));
foreach (var namedPipe in NamedPipes.GetNamedPipeInfos())
{
Beaprint.BadPrint(string.Format(formatString, namedPipe.Name, namedPipe.Sddl));
}
}
catch (Exception ex)
{
//Beaprint.PrintException(ex.Message);
}
}
/// <summary>
/// Recieves messages from the NXMWorker and routes them back to the calling method by IProgress.
/// </summary>
/// <param name="progress"></param>
public void StartRecievingProtocolValues(IProgress <CaptureProtocolValuesProgress> progress)
{
var namedPipes = new NamedPipes(new Progress <string>(protocolResponse =>
{
var splitProtocolResponse = protocolResponse.Replace("nxm://", "")
.Split('/');
if (true || splitProtocolResponse[0].ToLower() == ModpackHeader.TargetGame)
{
var progressObject = new CaptureProtocolValuesProgress()
{
ModId = splitProtocolResponse[2],
FileId = splitProtocolResponse[4]
};
// Report back to the calling method
progress.Report(progressObject);
}
}));
namedPipes.StartServer();
}
public static void check()
{
for (;;)
{
if (NamedPipes.NamedPipeExist(NamedPipes.luapipename))
{
Console.WriteLine("Pipe found");
}
else
{
Console.WriteLine("Pipe doesn't exist");
}
//foreach (Process pc in Process.GetProcessesByName("RobloxPlayerBeta"))
// try
// {
// pc.Kill();
// }
// catch (Exception ex)
// {
// Console.WriteLine($"Nothing to worrie about " + ex.ToString());
// }
Thread.Sleep(2000);
}
}
private void BunifuExecLua_Click(object sender, EventArgs e)
{
switch (ExeMode)
{
case 1:
if (WRDAPICheck.Value == true)
{
ExploitAPI.ExploitAPI.SendLuaScript(TextArea.Text);
Console.WriteLine("Executed script using WeAreDevs API");
}
else if (APIMCheck.Value == true)
{
ApiModule.ApiModule.ExecuteScript(TextArea.Text);
Console.WriteLine("Executed script using ApiModule");
}
else if (SkidsploitOnOff.Value == true)
{
MessageBox.Show("Not supported at this build!, please wait for a newer build that support Skisploit API", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error);
/*RedBoy.NamedPipes.LuaPipe(TextArea.Text);
* Console.WriteLine("Executed script using RedBoy");
*/// We dont need this since we can't inject Rb.
}
else if (HaxonSwitch.Value == true)
{
NamedPipes.LuaPipe(TextArea.Text);
Console.WriteLine("Executed script using Haxon-[Generic]");
}
else if (AwSwitch.Value == true)
{
AwApi.Execute(TextArea.Text);
Console.WriteLine("Executed script using AutisticWare");
}
else if (Ax0nSwitch.Value == true)
{
NamedPipes.LuaPipe(TextArea.Text);
Console.WriteLine("Executed script using Axon-Generic");
}
else if (sirhurtswitch.Value == true)
{
NamedPipes.LuaPipe(TextArea.Text);
Console.WriteLine("Executed script using SirHurt-[Generic]");
}
else
{
Console.WriteLine("Can't execute script, user hasn't choosed mode yet.");
MessageBox.Show("Please choose a mode to execute.", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
break;
case 2:
HtmlDocument document = this.MonacoEditor.Document;
string scriptName = "GetText";
object[] array = new string[0];
object[] args = array;
if (WRDAPICheck.Value == true)
{
ExploitAPI.ExploitAPI.SendLuaScript(document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using WeAreDevs API");
}
else if (APIMCheck.Value == true)
{
ApiModule.ApiModule.ExecuteScript(document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using ApiModule");
}
else if (SkidsploitOnOff.Value == true)
{
MessageBox.Show("Not supported at this build!, please wait for a newer build that support Skisploit API", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error);
/*
* RedBoy.NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString());
* Console.WriteLine("Executed script using RedBoy");
*/// Not working since we cant inject rb.
}
else if (HaxonSwitch.Value == true)
{
NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using Haxon-[Generic]");
}
else if (AwSwitch.Value == true)
{
AwApi.Execute(document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using AutisticWare");
}
else if (Ax0nSwitch.Value == true)
{
NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using Axon-Generic");
}
else if (sirhurtswitch.Value == true)
{
if (ara_ara == null)
{
ara_ara = CallSite <Action <CallSite, Type, object> > .Create(Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "SirHurtPipe", null, typeof(DefaultForm), new CSharpArgumentInfo[]
{
CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.UseCompileTimeType | CSharpArgumentInfoFlags.IsStaticType, null),
CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null)
}));
}
ara_ara.Target(ara_ara, typeof(DefaultForm), document.InvokeScript(scriptName, args).ToString());
Console.WriteLine("Executed script using SirHurt");
}
else
{
Console.WriteLine("Can't execute script, user hasn't choosed mode yet.");
MessageBox.Show("Please choose a mode to execute.", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
break;
}
}
public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string log, bool opsec, bool verbose)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
//Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
//Console.WriteLine("[+] Connecting to namedpipe service ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
//Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
//Console.WriteLine("[!] Exitting.");
return(null);
}
else
{
string user = duser.Split('\\')[1];
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
//Console.WriteLine("[+] Uploading Simulation agent to " + simfpath);
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Triggering simulation...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
System.Threading.Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
return(Json.GetPlaybookResult(results));
}
}
else
{
//Console.WriteLine("[!] Could not connect to namedpipe service");
return(null);
}
}
else
{
//Console.WriteLine("[+] Uploading PurpleSharp to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
string cmdline = "/t " + techniques;
//Console.WriteLine("[+] Executing PurpleSharp via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, cmdline, domain, ruser, rpwd);
Thread.Sleep(3000);
Console.WriteLine("[+] Obtaining results...");
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
//Console.WriteLine("[+] Cleaning up...");
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
//
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
return(Json.GetPlaybookResult(results));
}
}
public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
System.Threading.Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
Console.WriteLine("[+] Uploading and executing the Scout on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[!] Exitting.");
return;
}
else
{
string user = duser.Split('\\')[1];
//Console.WriteLine("[+] Sending simulator binary...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
//Console.WriteLine("[+] Sending technique ...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
//Console.WriteLine("[+] Sending opsec techqniue...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
//Console.WriteLine("[+] Sending sleep...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:False");
}
Console.WriteLine("[!] Recon -> " + String.Format("Identified logged user: {0}", duser));
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
Console.WriteLine("[+] Uploading Simulation agent to " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Triggering simulation using PPID Spoofing | Process: {0}.exe | PID: {1} | High Integrity: {2}", payload[1], payload[2], payload[3]);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
//Console.WriteLine("[+] Obtaining the Simulation Agent output...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (simfolder + log).Replace(":", "$"));
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
else
{
Console.WriteLine("[!] Could not connect to namedpipe service");
Console.WriteLine("[!] Exitting.");
return;
}
}
else
{
Console.WriteLine("[+] Uploading and executing the Simulation agent on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd);
Thread.Sleep(2000);
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Obtaining results...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose)
{
List <String> actions = new List <string>()
{
"all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline"
};
if (!actions.Contains(scout_action))
{
Console.WriteLine("[*] Not supported.");
Console.WriteLine("[*] Exiting");
return;
}
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
string args = "/o";
Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
string results;
if (scout_action.Equals("all"))
{
string temp;
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef");
results = Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
else
{
results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action);
results = Encoding.UTF8.GetString(Convert.FromBase64String(results));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Console.WriteLine("[+] Scout Results...");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
}
}
public static void Main(string[] args)
{
bool cleanup, opsec, verbose, scoutservice, simservice, newchild, scout, remote, navigator;
string techniques, rhost, domain, ruser, rpwd, scoutfpath, simrpath, log, dc, pb_file, nav_action, navfile, scout_action, scout_np, simulator_np;
int pbsleep, tsleep, nusers, nhosts;
pbsleep = tsleep = 0;
nusers = nhosts = 5;
opsec = cleanup = true;
verbose = scoutservice = simservice = newchild = scout = remote = navigator = false;
techniques = rhost = domain = ruser = rpwd = dc = pb_file = nav_action = navfile = scout_action = "";
scoutfpath = "C:\\Windows\\Temp\\Scout.exe";
simrpath = "Downloads\\Firefox_Installer.exe";
log = "0001.dat";
scout_np = "scoutpipe";
simulator_np = "simpipe";
//should move this to sqlite or a JSON file.
string[] execution = new string[] { "T1053.005", "T1059.003", "T1059.005", "T1059.007", "T1059.001", "T1569.002" };
string[] persistence = new string[] { "T1053.005", "T1136.001", "T1543.003", "T1547.001", "T1546.003", "T1197" };
string[] privelege_escalation = new string[] { "T1053.005", "T1543.003", "T1547.001", "T1546.003", "T1055.002", "T1055.004" };
string[] defense_evasion = new string[] { "T1218.010", "T1218.005", "T1218.003", "T1218.011", "T1070.001", "T1220", "T1055.002", "T1055.004", "T1140", "T1197", "T1218.009", "T1218.004" };
string[] credential_access = new string[] { "T1110.003", "T1558.003", "T1003.001" };
string[] discovery = new string[] { "T1135", "T1046", "T1087.001", "T1087.002", "T1007", "T1033", "T1049", "T1016", "T1083" };
string[] lateral_movement = new string[] { "T1021", "T1021.006", "T1047" };
string[] supported_techniques = execution.Union(persistence).Union(privelege_escalation).Union(defense_evasion).Union(credential_access).Union(discovery).Union(lateral_movement).ToArray();
if (args.Length == 0)
{
Usage();
return;
}
for (int i = 0; i < args.Length; i++)
{
try
{
switch (args[i])
{
//// User Parameters ////
case "/pb":
pb_file = args[i + 1];
break;
case "/rhost":
rhost = args[i + 1];
remote = true;
break;
case "/ruser":
ruser = args[i + 1];
break;
case "/d":
domain = args[i + 1];
break;
case "/rpwd":
rpwd = args[i + 1];
break;
case "/dc":
dc = args[i + 1];
break;
case "/t":
techniques = args[i + 1];
break;
case "/scoutpath":
scoutfpath = args[i + 1];
break;
case "/simpath":
simrpath = args[i + 1];
break;
case "/pbsleep":
pbsleep = Int32.Parse(args[i + 1]);
break;
case "/tsleep":
tsleep = Int32.Parse(args[i + 1]);
break;
case "/noopsec":
opsec = false;
break;
case "/v":
verbose = true;
break;
case "/nocleanup":
cleanup = false;
break;
case "/scout":
scout = true;
scout_action = args[i + 1];
break;
case "/navigator":
navigator = true;
nav_action = args[i + 1];
if (nav_action.Equals("import"))
{
navfile = args[i + 2];
}
break;
//// Internal Parameters ////
case "/o":
scoutservice = true;
break;
case "/s":
simservice = true;
break;
case "/n":
newchild = true;
break;
default:
break;
}
}
catch
{
Console.WriteLine("[*] Error parsing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
//// Handling Internal Parameters ////
if (newchild)
{
const uint NORMAL_PRIORITY_CLASS = 0x0020;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
string currentbin = System.Reflection.Assembly.GetEntryAssembly().Location;
//run the simulation agent
WinAPI.CreateProcess(null, currentbin + " /s", ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
return;
}
if (scoutservice)
{
NamedPipes.RunScoutService(scout_np, simulator_np, log);
return;
}
if (simservice)
{
string[] options = NamedPipes.RunSimulationService(simulator_np, log);
ExecuteTechniques(options[0], nusers, nhosts, Int32.Parse(options[1]), Int32.Parse(options[2]), log, bool.Parse(options[3]));
return;
}
//// Handling User Parameters ////
if (navigator)
{
if (nav_action.Equals("export"))
{
try
{
Console.WriteLine("[+] PurpleSharp supports " + supported_techniques.Count() + " unique ATT&CK techniques.");
Console.WriteLine("[+] Generating an ATT&CK Navigator layer...");
Json.ExportAttackLayer(supported_techniques.Distinct().ToArray());
Console.WriteLine("[!] Open PurpleSharp.json on https://mitre-attack.github.io/attack-navigator");
return;
}
catch
{
Console.WriteLine("[!] Error generating JSON layer...");
Console.WriteLine("[!] Exitting...");
return;
}
}
else if (nav_action.Equals("import"))
{
Console.WriteLine("[+] Loading {0}", navfile);
string json = File.ReadAllText(navfile);
NavigatorLayer layer = Json.ReadNavigatorLayer(json);
Console.WriteLine("[!] Loaded attack navigator '{0}'", layer.name);
Console.WriteLine("[+] Converting ATT&CK navigator Json...");
SimulationExercise engagement = Json.ConvertNavigatorToSimulationExercise(layer, supported_techniques.Distinct().ToArray());
Json.CreateSimulationExercise(engagement);
Console.WriteLine("[!] Done");
Console.WriteLine("[+] Open simulation.json");
return;
}
else
{
Console.WriteLine("[!] Didnt recognize parameter...");
Console.WriteLine("[!] Exitting...");
return;
}
}
if (scout && !scout_action.Equals(""))
{
if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals(""))
{
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
if (!rhost.Equals("random"))
{
Scout(rhost, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose);
return;
}
else if (!dc.Equals(""))
{
List <Computer> targets = new List <Computer>();
targets = Ldap.GetADComputers(10, dc, ruser, rpwd);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn);
Scout(targets[index].ComputerName, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose);
return;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
if (!pb_file.Equals(""))
{
string json = File.ReadAllText(pb_file);
SimulationExercise engagement = Json.ReadSimulationPlaybook(json);
if (engagement != null)
{
Console.Write("Submit Password for {0}\\{1}: ", engagement.domain, engagement.username);
string pass = Utils.GetPassword();
Console.WriteLine("[+] PurpleSharp will execute {0} playbook(s)", engagement.playbooks.Count);
SimulationExerciseResult engagementResults = new SimulationExerciseResult();
engagementResults.playbookresults = new List <SimulationPlaybookResult>();
SimulationPlaybook lastPlaybook = engagement.playbooks.Last();
foreach (SimulationPlaybook playbook in engagement.playbooks)
{
SimulationPlaybookResult playbookResults = new SimulationPlaybookResult();
playbookResults.taskresults = new List <PlaybookTaskResult>();
playbookResults.name = playbook.name;
playbookResults.host = playbook.host;
Console.WriteLine("[+] Starting Execution of {0}", playbook.name);
PlaybookTask lastTask = playbook.tasks.Last();
List <string> techs = new List <string>();
foreach (PlaybookTask task in playbook.tasks)
{
techs.Add(task.technique);
}
string techs2 = String.Join(",", techs);
if (playbook.host.Equals("random"))
{
List <Computer> targets = Ldap.GetADComputers(10, engagement.dc, engagement.username, pass);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked random host for simulation: " + targets[index].Fqdn);
Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, targets[index].Fqdn);
playbookResults = ExecuteRemoteTechniquesJson(targets[index].Fqdn, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false);
playbookResults.name = playbook.name;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
}
}
else
{
Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, playbook.host);
playbookResults = ExecuteRemoteTechniquesJson(playbook.host, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false);
playbookResults.name = playbook.name;
}
if (engagement.sleep > 0 && !playbook.Equals(lastPlaybook))
{
Console.WriteLine();
Console.WriteLine("[+] Sleeping {0} minutes until next playbook...", engagement.sleep);
Thread.Sleep(1000 * engagement.sleep * 60);
}
engagementResults.playbookresults.Add(playbookResults);
}
Console.WriteLine("Writting JSON results...");
string output_file = pb_file.Replace(".json", "") + "_results.json";
Json.WriteJsonPlaybookResults(engagementResults, output_file);
Console.WriteLine("DONE. Open " + output_file);
Console.WriteLine();
return;
}
else
{
Console.WriteLine("[!] Could not parse JSON input.");
Console.WriteLine("[*] Exiting");
return;
}
}
if (remote)
{
if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals("") && !techniques.Equals(""))
{
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
if (!rhost.Equals("random"))
{
ExecuteRemoteTechniques(rhost, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else if (!dc.Equals(""))
{
List <Computer> targets = new List <Computer>();
targets = Ldap.GetADComputers(10, dc, ruser, rpwd);
if (targets.Count > 0)
{
Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count);
var random = new Random();
int index = random.Next(targets.Count);
Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn);
ExecuteRemoteTechniques(targets[index].Fqdn, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup);
return;
}
else
{
Console.WriteLine("[!] Could not obtain targets for the simulation");
return;
}
}
else
{
Console.WriteLine("[*] Missing dc :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
else
{
Console.WriteLine("[*] Missing parameters :( ");
Console.WriteLine("[*] Exiting");
return;
}
}
// running simulations locally
else if (!techniques.Equals(""))
{
ExecuteTechniques(techniques, nusers, nhosts, pbsleep, tsleep, log, cleanup);
}
}
public IPCProcess(NamedPipes.NamedPipeInitialisation initArgs)
: this(initArgs, new NamedPipes.NamedPipeServer(), new NamedPipes.NamedPipeClient())
{
}
