public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
System.Threading.Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
Console.WriteLine("[+] Uploading and executing the Scout on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[!] Exitting.");
return;
}
else
{
string user = duser.Split('\\')[1];
//Console.WriteLine("[+] Sending simulator binary...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
//Console.WriteLine("[+] Sending technique ...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
//Console.WriteLine("[+] Sending opsec techqniue...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
//Console.WriteLine("[+] Sending sleep...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:False");
}
Console.WriteLine("[!] Recon -> " + String.Format("Identified logged user: {0}", duser));
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
Console.WriteLine("[+] Uploading Simulation agent to " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Triggering simulation using PPID Spoofing | Process: {0}.exe | PID: {1} | High Integrity: {2}", payload[1], payload[2], payload[3]);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
//Console.WriteLine("[+] Obtaining the Simulation Agent output...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (simfolder + log).Replace(":", "$"));
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
else
{
Console.WriteLine("[!] Could not connect to namedpipe service");
Console.WriteLine("[!] Exitting.");
return;
}
}
else
{
Console.WriteLine("[+] Uploading and executing the Simulation agent on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd);
Thread.Sleep(2000);
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Obtaining results...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string log, bool opsec, bool verbose)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
//Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
//Console.WriteLine("[+] Connecting to namedpipe service ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
//Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
//Console.WriteLine("[!] Exitting.");
return(null);
}
else
{
string user = duser.Split('\\')[1];
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
//Console.WriteLine("[+] Uploading Simulation agent to " + simfpath);
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Triggering simulation...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
System.Threading.Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
return(Json.GetPlaybookResult(results));
}
}
else
{
//Console.WriteLine("[!] Could not connect to namedpipe service");
return(null);
}
}
else
{
//Console.WriteLine("[+] Uploading PurpleSharp to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
string cmdline = "/t " + techniques;
//Console.WriteLine("[+] Executing PurpleSharp via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, cmdline, domain, ruser, rpwd);
Thread.Sleep(3000);
Console.WriteLine("[+] Obtaining results...");
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
//Console.WriteLine("[+] Cleaning up...");
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
//
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
return(Json.GetPlaybookResult(results));
}
}
public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose)
{
List <String> actions = new List <string>()
{
"all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline"
};
if (!actions.Contains(scout_action))
{
Console.WriteLine("[*] Not supported.");
Console.WriteLine("[*] Exiting");
return;
}
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
string args = "/o";
Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
string results;
if (scout_action.Equals("all"))
{
string temp;
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef");
results = Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
else
{
results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action);
results = Encoding.UTF8.GetString(Convert.FromBase64String(results));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Console.WriteLine("[+] Scout Results...");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
}
}