public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose)
{
List <String> actions = new List <string>()
{
"all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline"
};
if (!actions.Contains(scout_action))
{
Console.WriteLine("[*] Not supported.");
Console.WriteLine("[*] Exiting");
return;
}
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
string args = "/o";
Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
string results;
if (scout_action.Equals("all"))
{
string temp;
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef");
results = Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
else
{
results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action);
results = Encoding.UTF8.GetString(Convert.FromBase64String(results));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Console.WriteLine("[+] Scout Results...");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
}
}