Ejemplo n.º 1
0
        public static void NetworkShareEnumerationCmdRemote(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1135");
            logger.TimestampInfo("Using the command line to execute the technique");
            try
            {
                List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger);
                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", playbook_task.task_sleep));
                }
                foreach (Computer computer in target_hosts)
                {
                    ExecutionHelper.StartProcessApi("", String.Format("net view \\\\{0}", computer.IPv4), logger);
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 2
0
        static public void CreateRemoteServiceOnHosts(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1021.002");
            if (playbook_task.variation == 1)
            {
                logger.TimestampInfo("Using sc.exe to execute this technique against remote hosts");
            }
            else if (playbook_task.variation == 2)
            {
                logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts");
            }

            List <Computer> host_targets = new List <Computer>();
            List <Task>     tasklist     = new List <Task>();


            if (playbook_task.serviceName.Equals("random"))
            {
                string chars  = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789".ToLower();
                Random random = new Random();
                logger.TimestampInfo("Using random Service Name");
                playbook_task.serviceName = new string(Enumerable.Repeat(chars, 8).Select(s => s[random.Next(s.Length)]).ToArray());
            }
            try
            {
                host_targets = Targets.GetHostTargets(playbook_task, logger);
                foreach (Computer computer in host_targets)
                {
                    Computer temp = computer;
                    if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper()))
                    {
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            if (playbook_task.variation == 1)
                            {
                                LateralMovementHelper.CreateRemoteServiceCmdline(temp, playbook_task, logger);
                            }
                            else if (playbook_task.variation == 2)
                            {
                                LateralMovementHelper.CreateRemoteServiceApi(temp, playbook_task, logger);
                            }
                        }));
                        if (playbook_task.task_sleep > 0)
                        {
                            logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                        }
                    }
                }
                Task.WaitAll(tasklist.ToArray());
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 3
0
        static public void WinRmCodeExec(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1021.006");
            if (playbook_task.variation == 1)
            {
                logger.TimestampInfo("Using powershell.exe to execute this technique against remote hosts");
            }
            else if (playbook_task.variation == 2)
            {
                logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique");
            }

            List <Computer> host_targets = new List <Computer>();
            List <Task>     tasklist     = new List <Task>();

            try
            {
                host_targets = Targets.GetHostTargets(playbook_task, logger);

                foreach (Computer computer in host_targets)
                {
                    Computer temp = computer;
                    if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
                    {
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            if (playbook_task.variation == 1)
                            {
                                LateralMovementHelper.WinRMCodeExecutionPowerShell(temp, playbook_task, logger);
                            }
                            else if (playbook_task.variation == 2)
                            {
                                LateralMovementHelper.WinRMCodeExecutionNET(temp, playbook_task, logger);
                            }
                        }));
                        if (playbook_task.task_sleep > 0)
                        {
                            logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                        }
                    }
                }
                Task.WaitAll(tasklist.ToArray());
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 4
0
        public static void NetworkServiceDiscovery(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1046");
            logger.TimestampInfo("Using the System.Net.Sockets .NET namespace to execute this technique");

            try
            {
                List <Task>     tasklist     = new List <Task>();
                List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger);
                //logger.TimestampInfo(String.Format("Obtained {0} target computers for the scan", target_hosts.Count));
                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", playbook_task.task_sleep));
                }
                foreach (Computer computer in target_hosts)
                {
                    //if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
                    //{
                    Computer temp     = computer;
                    TimeSpan interval = TimeSpan.FromSeconds(5);

                    tasklist.Add(Task.Factory.StartNew(() =>
                    {
                        logger.TimestampInfo(String.Format("Starting port scan against {0} ({1})", temp.ComputerName, temp.IPv4));
                        DiscoveryHelper.PortScan(temp, interval, playbook_task.ports, logger);
                    }));
                    if (playbook_task.task_sleep > 0)
                    {
                        Thread.Sleep(playbook_task.task_sleep * 1000);
                    }

                    //}
                }
                Task.WaitAll(tasklist.ToArray());
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 5
0
        static public void ModifyRemoteServiceOnHosts(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1021.002");
            logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts");

            List <Computer> host_targets = new List <Computer>();
            List <Task>     tasklist     = new List <Task>();

            try
            {
                host_targets = Targets.GetHostTargets(playbook_task, logger);

                foreach (Computer computer in host_targets)
                {
                    Computer temp = computer;
                    if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper()))
                    {
                        //LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger);

                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger);
                        }));

                        if (playbook_task.task_sleep > 0)
                        {
                            logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                        }
                    }
                }
                Task.WaitAll(tasklist.ToArray());
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 6
0
        public static void NetworkShareEnumerationApiRemote(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1135");
            logger.TimestampInfo("Using the Win32 API NetShareEnum function to execute this technique");

            try
            {
                //List<Computer> targetcomputers = Lib.Targets.GetHostTargets_old(computertype, nhosts, logger);
                List <Task>     tasklist     = new List <Task>();
                List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger);
                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between each enumeration attempt", playbook_task.task_sleep));
                }
                foreach (Computer computer in target_hosts)
                {
                    if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
                    {
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            DiscoveryHelper.ShareEnum(computer, logger);
                        }));
                        if (playbook_task.task_sleep > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                    }
                }
                Task.WaitAll(tasklist.ToArray());
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 7
0
        public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1110.003");
            logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function"));
            bool            Kerberos     = false;
            List <Computer> host_targets = new List <Computer>();
            List <User>     user_targets = new List <User>();
            List <Task>     tasklist     = new List <Task>();
            string          domain       = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            try
            {
                if (playbook_task.user_target_type == 99)
                {
                    domain = ".";
                }
                // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC.
                Kerberos = false;

                host_targets = Targets.GetHostTargets(playbook_task, logger);
                user_targets = Targets.GetUserTargets(playbook_task, logger);
                //if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false;
                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                }

                if (playbook_task.host_target_type == 1 || playbook_task.host_target_type == 2)
                {
                    //Remote spray against one target host
                    //Target host either explictly defined in the playbook or randomly picked using LDAP queries
                    foreach (User user in user_targets)
                    {
                        User tempuser = user;
                        //int tempindex = index;
                        //if (playbook_task.task_sleep > 0 && tempindex > 0) Thread.Sleep(playbook_task.task_sleep * 1000);
                        if (playbook_task.task_sleep > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(host_targets[0], domain, tempuser.UserName, playbook_task.spray_password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }

                else if (playbook_task.host_target_type == 3 || playbook_task.host_target_type == 4)
                {
                    //Remote spray against several hosts, distributed
                    //Target hosts either explictly defined in the playbook or randomly picked using LDAP queries
                    int loops;
                    if (user_targets.Count >= host_targets.Count)
                    {
                        loops = host_targets.Count;
                    }
                    else
                    {
                        loops = user_targets.Count;
                    }

                    for (int i = 0; i < loops; i++)
                    {
                        int temp = i;
                        if (playbook_task.task_sleep > 0 && temp > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(host_targets[temp], domain, user_targets[temp].UserName, playbook_task.spray_password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }

                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }