private static void CallVCoverService_ReadData(WaitObject @object) { Task.Factory.StartNew((o) => { WaitObject obj = (WaitObject)o; m_WaitObjects[obj.Key] = obj; List <FileInfo> files = (List <FileInfo>)obj.Value; try { StringBuilder b = new StringBuilder(); b.Append(obj.Key); b.Append(";"); foreach (FileInfo info in files) { b.Append(info.FullName); b.Append(";"); } NamedPipes.SendMessage("VCOVER", b.ToString()); } catch (Exception ex) { obj.Err = ex; } }, @object); }
public static void Inject() { if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe exist { MessageBox.Show("Already injected!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Asterisk); //if the pipe exist that's mean that we don't need to inject return; } else if (!NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe don't exist { switch (Injector.DllInjector.GetInstance.Inject("RobloxPlayerBeta", AppDomain.CurrentDomain.BaseDirectory + "Axon.dll")) //Process name and dll directory { case Injector.DllInjectionResult.DllNotFound: //if can't find the dll MessageBox.Show($"Could not find Axon DLL!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that dll was not found return; case Injector.DllInjectionResult.GameProcessNotFound: //if can't find the process MessageBox.Show("Couldn't find RobloxPlayerBeta!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that proccess was not found return; case Injector.DllInjectionResult.InjectionFailed: //if injection fails(this don't work or only on special cases) MessageBox.Show("Injection failed! Please try again later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display messagebox to tell that injection failed return; } Thread.Sleep(3000); if (!NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe dont exist { MessageBox.Show("Injection failed! Please try again later.", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); //display that the pipe was not found so the injection was unsuccessful } } }
private void ExecuteButton_Click(object sender, EventArgs e) { if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) { NamedPipes.LuaPipe(ScriptBox.Text); } else { MessageBox.Show("Inject " + Functions.exploitdllname + " before Using this!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation); return; } }
static void Main() { bool newInstance; using (Mutex mutex = new Mutex(false, "VCover", out newInstance)) { if (newInstance) { try { ThreadPool.SetMaxThreads(50, 100); Thread.CurrentThread.CurrentCulture = Thread.CurrentThread.CurrentUICulture = CultureInfo.GetCultureInfo("en-us"); StartUp.TryToAddAppSafe(); Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(CurrentDomain_UnhandledException); Application.ThreadException += new ThreadExceptionEventHandler(OnThreadException); var ctn = new AppContext(); ctn.NewInFileEvent += new EventHandler <ValueEventArgs <Guid, string> >(NewCommandFileEvent); ctn.Started += new EventHandler(ctn_Started); StateSaver.Error += new ThreadExceptionEventHandler(OnThreadException); AppContext.Default.Error += new ThreadExceptionEventHandler(OnThreadException); StateSaver.Default.Path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "VCover.dat"); StateSaver.Default.Load(); TemplateMatcher.Path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "TemplateMatcher.dat"); TemplateMatcher.Load(); NamedPipes.ReceivedData += new ReceivedDataDelegate(NamedPipes_ReceivedData); NamedPipes.Error += new ThreadExceptionEventHandler(OnThreadException); NamedPipes.StartServer("VCOVER"); Application.Run(ctn); } finally { StateSaver.Default.Save(); TemplateMatcher.Save(); } } else { MessageBox.Show("An instance is already started.\r\nPlease close it first.", Application.ProductName, MessageBoxButtons.OK, MessageBoxIcon.Exclamation); } } }
public static void Execute(string script = "print(\"Hello World!\")") { if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) //check if the pipe exist { NamedPipes.LuaPipe(script); //lua pipe function to send the script } else { MessageBox.Show($"Inject Axon before using this!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);//if the pipe can't be found a messagebox will appear return; } }
public void Run() { StateSaver.Default.Set(Strings.USE_VCOVER, true); var prtReadData = ms_ReadDataDelegate.GetFunctionPointer(); StateSaver.Default.Set(Strings.VCOVER_FUNC, prtReadData); NamedPipes.ReceivedData += new ReceivedDataDelegate(NamedPipes_ReceivedData); NamedPipes.Error += new ThreadExceptionEventHandler(NamedPipes_Error); NamedPipes.StartServer("VPRINT"); }
private void button2_Click(object sender, EventArgs e) { if (apis.api == "ZeusX") { FastColoredTextBox fastColoredTextBox1 = this.tabControl1.SelectedTab.Controls.Find ("fastColoredTextBox1", true).FirstOrDefault <Control>() as FastColoredTextBox; object[] args = new string[0]; object obj = fastColoredTextBox1.Text; string script = obj.ToString(); NamedPipes.LuaPipe(script); } if (apis.api == "Sirhurt") { FastColoredTextBox fastColoredTextBox1 = this.tabControl1.SelectedTab.Controls.Find ("fastColoredTextBox1", true).FirstOrDefault <Control>() as FastColoredTextBox; object[] args = new string[0]; object obj = fastColoredTextBox1.Text; string script = obj.ToString(); SirHurtAPI.SirHurtAPI.Execute(script, true); } if (apis.api == "Electron") { FastColoredTextBox fastColoredTextBox1 = this.tabControl1.SelectedTab.Controls.Find ("fastColoredTextBox1", true).FirstOrDefault <Control>() as FastColoredTextBox; object[] args = new string[0]; object obj = fastColoredTextBox1.Text; string script = obj.ToString(); Electron.NamedPipes.LuaPipe(script); } if (apis.api == "KRNL") { FastColoredTextBox fastColoredTextBox1 = this.tabControl1.SelectedTab.Controls.Find ("fastColoredTextBox1", true).FirstOrDefault <Control>() as FastColoredTextBox; object[] args = new string[0]; object obj = fastColoredTextBox1.Text; string script = obj.ToString(); MainAPI.Execute(script); } }
public void SaveResult(Guid id, params string[] fileList) { StringBuilder b = new StringBuilder(); b.Append(id.ToString()); b.Append(";"); foreach (var st in fileList) { b.Append(st); b.Append(";"); } NamedPipes.SendMessage("VPRINT", b.ToString()); }
private void Application_Startup(object sender, StartupEventArgs e) { if (ProcessFinder.IsProcessAlreadyRunning()) { if (e.Args.Any() && // Check if args contain any data e.Args[0].StartsWith("nxm", StringComparison.OrdinalIgnoreCase)) // Check to see if it contains correct data { NamedPipes.SendMessage(e.Args[0]); } // We only want one instance of Automaton running at one time Environment.Exit(0); } }
public MainViewModel() { BrowseCommand = new RelayCommand(Browse); ApplyCommand = new RelayCommand(Apply); CancelCommand = new RelayCommand(Cancel); SkipCommand = new RelayCommand((arg) => Continue()); SearchEngine.Initialize(); SearchEngine.SearchCompleted += (args) => { Covers = args; IsSearching = false; }; NamedPipes.MessageReceived += NamedPipes_MessageReceived; NamedPipes.StartServer(); }
private void pictureBox4_Click(object sender, EventArgs e) { if (checkBox4.Checked == true) { NamedPipes.LuaPipe(fastColoredTextBox2.Text); } if (checkBox3.Checked == true) { OxygenU_API.Execute(fastColoredTextBox2.Text); } if (checkBox2.Checked == true) { MainAPI.Execute(fastColoredTextBox2.Text); } if (checkBox1.Checked == true) { module.ExecuteScript(fastColoredTextBox2.Text); } }
private void pictureBox13_Click(object sender, EventArgs e) { MessageBox.Show("E to open gui", "Vietnam"); if (checkBox4.Checked == true) { NamedPipes.LuaPipe(fastColoredTextBox11.Text); } if (checkBox3.Checked == true) { OxygenU_API.Execute(fastColoredTextBox11.Text); } if (checkBox2.Checked == true) { MainAPI.Execute(fastColoredTextBox11.Text); } if (checkBox1.Checked == true) { module.ExecuteScript(fastColoredTextBox11.Text); } }
private void pictureBox6_Click(object sender, EventArgs e) { if (checkBox4.Checked == true) { MessageBox.Show("Please use the api Krnl", "XFORCE"); NamedPipes.LuaPipe(fastColoredTextBox5.Text); } if (checkBox3.Checked == true) { OxygenU_API.Execute(fastColoredTextBox5.Text); } if (checkBox2.Checked == true) { MainAPI.Execute(fastColoredTextBox5.Text); } if (checkBox1.Checked == true) { module.ExecuteScript(fastColoredTextBox5.Text); } }
private static void PrintNamedPipes() { Beaprint.MainPrint("Enumerating Named Pipes"); try { string formatString = " {0,-100} {1}\n"; Beaprint.NoColorPrint(string.Format($"{formatString}", "Name", "Sddl")); foreach (var namedPipe in NamedPipes.GetNamedPipeInfos()) { Beaprint.BadPrint(string.Format(formatString, namedPipe.Name, namedPipe.Sddl)); } } catch (Exception ex) { //Beaprint.PrintException(ex.Message); } }
/// <summary> /// Recieves messages from the NXMWorker and routes them back to the calling method by IProgress. /// </summary> /// <param name="progress"></param> public void StartRecievingProtocolValues(IProgress <CaptureProtocolValuesProgress> progress) { var namedPipes = new NamedPipes(new Progress <string>(protocolResponse => { var splitProtocolResponse = protocolResponse.Replace("nxm://", "") .Split('/'); if (true || splitProtocolResponse[0].ToLower() == ModpackHeader.TargetGame) { var progressObject = new CaptureProtocolValuesProgress() { ModId = splitProtocolResponse[2], FileId = splitProtocolResponse[4] }; // Report back to the calling method progress.Report(progressObject); } })); namedPipes.StartServer(); }
public static void check() { for (;;) { if (NamedPipes.NamedPipeExist(NamedPipes.luapipename)) { Console.WriteLine("Pipe found"); } else { Console.WriteLine("Pipe doesn't exist"); } //foreach (Process pc in Process.GetProcessesByName("RobloxPlayerBeta")) // try // { // pc.Kill(); // } // catch (Exception ex) // { // Console.WriteLine($"Nothing to worrie about " + ex.ToString()); // } Thread.Sleep(2000); } }
private void BunifuExecLua_Click(object sender, EventArgs e) { switch (ExeMode) { case 1: if (WRDAPICheck.Value == true) { ExploitAPI.ExploitAPI.SendLuaScript(TextArea.Text); Console.WriteLine("Executed script using WeAreDevs API"); } else if (APIMCheck.Value == true) { ApiModule.ApiModule.ExecuteScript(TextArea.Text); Console.WriteLine("Executed script using ApiModule"); } else if (SkidsploitOnOff.Value == true) { MessageBox.Show("Not supported at this build!, please wait for a newer build that support Skisploit API", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error); /*RedBoy.NamedPipes.LuaPipe(TextArea.Text); * Console.WriteLine("Executed script using RedBoy"); */// We dont need this since we can't inject Rb. } else if (HaxonSwitch.Value == true) { NamedPipes.LuaPipe(TextArea.Text); Console.WriteLine("Executed script using Haxon-[Generic]"); } else if (AwSwitch.Value == true) { AwApi.Execute(TextArea.Text); Console.WriteLine("Executed script using AutisticWare"); } else if (Ax0nSwitch.Value == true) { NamedPipes.LuaPipe(TextArea.Text); Console.WriteLine("Executed script using Axon-Generic"); } else if (sirhurtswitch.Value == true) { NamedPipes.LuaPipe(TextArea.Text); Console.WriteLine("Executed script using SirHurt-[Generic]"); } else { Console.WriteLine("Can't execute script, user hasn't choosed mode yet."); MessageBox.Show("Please choose a mode to execute.", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error); } break; case 2: HtmlDocument document = this.MonacoEditor.Document; string scriptName = "GetText"; object[] array = new string[0]; object[] args = array; if (WRDAPICheck.Value == true) { ExploitAPI.ExploitAPI.SendLuaScript(document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using WeAreDevs API"); } else if (APIMCheck.Value == true) { ApiModule.ApiModule.ExecuteScript(document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using ApiModule"); } else if (SkidsploitOnOff.Value == true) { MessageBox.Show("Not supported at this build!, please wait for a newer build that support Skisploit API", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error); /* * RedBoy.NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString()); * Console.WriteLine("Executed script using RedBoy"); */// Not working since we cant inject rb. } else if (HaxonSwitch.Value == true) { NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using Haxon-[Generic]"); } else if (AwSwitch.Value == true) { AwApi.Execute(document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using AutisticWare"); } else if (Ax0nSwitch.Value == true) { NamedPipes.LuaPipe(document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using Axon-Generic"); } else if (sirhurtswitch.Value == true) { if (ara_ara == null) { ara_ara = CallSite <Action <CallSite, Type, object> > .Create(Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "SirHurtPipe", null, typeof(DefaultForm), new CSharpArgumentInfo[] { CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.UseCompileTimeType | CSharpArgumentInfoFlags.IsStaticType, null), CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null) })); } ara_ara.Target(ara_ara, typeof(DefaultForm), document.InvokeScript(scriptName, args).ToString()); Console.WriteLine("Executed script using SirHurt"); } else { Console.WriteLine("Can't execute script, user hasn't choosed mode yet."); MessageBox.Show("Please choose a mode to execute.", "Generic Exploit Loader", MessageBoxButtons.OK, MessageBoxIcon.Error); } break; } }
public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string log, bool opsec, bool verbose) { // techniques that need to be executed from a high integrity process string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" }; string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location; int index = scoutfpath.LastIndexOf(@"\"); string scoutFolder = scoutfpath.Substring(0, index + 1); Thread.Sleep(3000); if (opsec) { string result = ""; string args = "/o"; //Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); //Console.WriteLine("[+] Executing the Scout via WMI ..."); RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd); //Console.WriteLine("[+] Connecting to namedpipe service ..."); result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN"); if (result.Equals("SYN/ACK")) { //Console.WriteLine("[+] OK"); if (privileged_techniques.Contains(techniques.ToUpper())) { result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged"); } else { result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular"); } string[] payload = result.Split(','); string duser = payload[0]; if (duser == "") { Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?"); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); Thread.Sleep(1000); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); //Console.WriteLine("[!] Exitting."); return(null); } else { string user = duser.Split('\\')[1]; NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid"); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString()); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString()); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True"); string simfpath = "C:\\Users\\" + user + "\\" + simrpath; int index2 = simrpath.LastIndexOf(@"\"); string simrfolder = simrpath.Substring(0, index2 + 1); string simfolder = "C:\\Users\\" + user + "\\" + simrfolder; //Console.WriteLine("[+] Uploading Simulation agent to " + simfpath); RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain); //Console.WriteLine("[+] Triggering simulation..."); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act"); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); System.Threading.Thread.Sleep(5000); bool finished = false; int counter = 1; string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain); while (finished == false) { if (results.Split('\n').Last().Contains("Playbook Finished")) { Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(results); Console.WriteLine(); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain); RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain); finished = true; } else { Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10); Thread.Sleep(counter * 10 * 1000); results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain); } counter += 1; } return(Json.GetPlaybookResult(results)); } } else { //Console.WriteLine("[!] Could not connect to namedpipe service"); return(null); } } else { //Console.WriteLine("[+] Uploading PurpleSharp to {0} on {1}", scoutfpath, rhost); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); string cmdline = "/t " + techniques; //Console.WriteLine("[+] Executing PurpleSharp via WMI ..."); RemoteLauncher.wmiexec(rhost, scoutfpath, cmdline, domain, ruser, rpwd); Thread.Sleep(3000); Console.WriteLine("[+] Obtaining results..."); string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(results); //Console.WriteLine("[+] Cleaning up..."); //Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); // //Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$")); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); return(Json.GetPlaybookResult(results)); } }
public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup) { // techniques that need to be executed from a high integrity process string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" }; if (rpwd == "") { Console.Write("Password for {0}\\{1}: ", domain, ruser); rpwd = Utils.GetPassword(); Console.WriteLine(); } string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location; int index = scoutfpath.LastIndexOf(@"\"); string scoutFolder = scoutfpath.Substring(0, index + 1); System.Threading.Thread.Sleep(3000); if (opsec) { string result = ""; string args = "/o"; Console.WriteLine("[+] Uploading and executing the Scout on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd); Console.WriteLine("[+] Connecting to the Scout ..."); result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN"); if (result.Equals("SYN/ACK")) { Console.WriteLine("[+] OK"); if (privileged_techniques.Contains(techniques.ToUpper())) { result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged"); } else { result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular"); } string[] payload = result.Split(','); string duser = payload[0]; if (duser == "") { Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?"); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); Thread.Sleep(1000); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); Console.WriteLine("[!] Exitting."); return; } else { string user = duser.Split('\\')[1]; //Console.WriteLine("[+] Sending simulator binary..."); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath); //Console.WriteLine("[+] Sending technique ..."); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques); //Console.WriteLine("[+] Sending opsec techqniue..."); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid"); //Console.WriteLine("[+] Sending sleep..."); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString()); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString()); if (cleanup) { NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True"); } else { NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:False"); } Console.WriteLine("[!] Recon -> " + String.Format("Identified logged user: {0}", duser)); string simfpath = "C:\\Users\\" + user + "\\" + simrpath; int index2 = simrpath.LastIndexOf(@"\"); string simrfolder = simrpath.Substring(0, index2 + 1); string simfolder = "C:\\Users\\" + user + "\\" + simrfolder; Console.WriteLine("[+] Uploading Simulation agent to " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$")); RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Triggering simulation using PPID Spoofing | Process: {0}.exe | PID: {1} | High Integrity: {2}", payload[1], payload[2], payload[3]); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act"); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); if (verbose) { Console.WriteLine("[+] Grabbing the Scout output..."); System.Threading.Thread.Sleep(1000); string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(sresults); } Thread.Sleep(5000); bool finished = false; int counter = 1; string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain); while (finished == false) { if (results.Split('\n').Last().Contains("Playbook Finished")) { //Console.WriteLine("[+] Obtaining the Simulation Agent output..."); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(results); Console.WriteLine(); Console.WriteLine("[+] Cleaning up..."); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$")); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$")); RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (simfolder + log).Replace(":", "$")); RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain); finished = true; } else { Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10); Thread.Sleep(counter * 10 * 1000); results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain); } counter += 1; } } } else { Console.WriteLine("[!] Could not connect to namedpipe service"); Console.WriteLine("[!] Exitting."); return; } } else { Console.WriteLine("[+] Uploading and executing the Simulation agent on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd); Thread.Sleep(2000); if (cleanup) { NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True"); } else { NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False"); } Thread.Sleep(5000); bool finished = false; int counter = 1; string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); while (finished == false) { if (results.Split('\n').Last().Contains("Playbook Finished")) { Console.WriteLine("[+] Obtaining results..."); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(results); Console.WriteLine(); Console.WriteLine("[+] Cleaning up..."); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$")); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); finished = true; } else { Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10); Thread.Sleep(counter * 10 * 1000); results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); } counter += 1; } } }
public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose) { List <String> actions = new List <string>() { "all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline" }; if (!actions.Contains(scout_action)) { Console.WriteLine("[*] Not supported."); Console.WriteLine("[*] Exiting"); return; } if (rpwd == "") { Console.Write("Password for {0}\\{1}: ", domain, ruser); rpwd = Utils.GetPassword(); Console.WriteLine(); } string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location; int index = scoutfpath.LastIndexOf(@"\"); string scoutFolder = scoutfpath.Substring(0, index + 1); string args = "/o"; Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Executing the Scout via WMI ..."); RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd); Console.WriteLine("[+] Connecting to the Scout ..."); string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN"); if (result.Equals("SYN/ACK")) { Console.WriteLine("[+] OK"); string results; if (scout_action.Equals("all")) { string temp; temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef"); results = Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); } else { results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action); results = Encoding.UTF8.GetString(Convert.FromBase64String(results)); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); } if (verbose) { Console.WriteLine("[+] Grabbing the Scout output..."); System.Threading.Thread.Sleep(1000); string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(sresults); } Console.WriteLine("[+] Scout Results..."); Console.WriteLine(); Console.WriteLine(results); Console.WriteLine(); Console.WriteLine("[+] Cleaning up..."); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$")); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); } }
public static void Main(string[] args) { bool cleanup, opsec, verbose, scoutservice, simservice, newchild, scout, remote, navigator; string techniques, rhost, domain, ruser, rpwd, scoutfpath, simrpath, log, dc, pb_file, nav_action, navfile, scout_action, scout_np, simulator_np; int pbsleep, tsleep, nusers, nhosts; pbsleep = tsleep = 0; nusers = nhosts = 5; opsec = cleanup = true; verbose = scoutservice = simservice = newchild = scout = remote = navigator = false; techniques = rhost = domain = ruser = rpwd = dc = pb_file = nav_action = navfile = scout_action = ""; scoutfpath = "C:\\Windows\\Temp\\Scout.exe"; simrpath = "Downloads\\Firefox_Installer.exe"; log = "0001.dat"; scout_np = "scoutpipe"; simulator_np = "simpipe"; //should move this to sqlite or a JSON file. string[] execution = new string[] { "T1053.005", "T1059.003", "T1059.005", "T1059.007", "T1059.001", "T1569.002" }; string[] persistence = new string[] { "T1053.005", "T1136.001", "T1543.003", "T1547.001", "T1546.003", "T1197" }; string[] privelege_escalation = new string[] { "T1053.005", "T1543.003", "T1547.001", "T1546.003", "T1055.002", "T1055.004" }; string[] defense_evasion = new string[] { "T1218.010", "T1218.005", "T1218.003", "T1218.011", "T1070.001", "T1220", "T1055.002", "T1055.004", "T1140", "T1197", "T1218.009", "T1218.004" }; string[] credential_access = new string[] { "T1110.003", "T1558.003", "T1003.001" }; string[] discovery = new string[] { "T1135", "T1046", "T1087.001", "T1087.002", "T1007", "T1033", "T1049", "T1016", "T1083" }; string[] lateral_movement = new string[] { "T1021", "T1021.006", "T1047" }; string[] supported_techniques = execution.Union(persistence).Union(privelege_escalation).Union(defense_evasion).Union(credential_access).Union(discovery).Union(lateral_movement).ToArray(); if (args.Length == 0) { Usage(); return; } for (int i = 0; i < args.Length; i++) { try { switch (args[i]) { //// User Parameters //// case "/pb": pb_file = args[i + 1]; break; case "/rhost": rhost = args[i + 1]; remote = true; break; case "/ruser": ruser = args[i + 1]; break; case "/d": domain = args[i + 1]; break; case "/rpwd": rpwd = args[i + 1]; break; case "/dc": dc = args[i + 1]; break; case "/t": techniques = args[i + 1]; break; case "/scoutpath": scoutfpath = args[i + 1]; break; case "/simpath": simrpath = args[i + 1]; break; case "/pbsleep": pbsleep = Int32.Parse(args[i + 1]); break; case "/tsleep": tsleep = Int32.Parse(args[i + 1]); break; case "/noopsec": opsec = false; break; case "/v": verbose = true; break; case "/nocleanup": cleanup = false; break; case "/scout": scout = true; scout_action = args[i + 1]; break; case "/navigator": navigator = true; nav_action = args[i + 1]; if (nav_action.Equals("import")) { navfile = args[i + 2]; } break; //// Internal Parameters //// case "/o": scoutservice = true; break; case "/s": simservice = true; break; case "/n": newchild = true; break; default: break; } } catch { Console.WriteLine("[*] Error parsing parameters :( "); Console.WriteLine("[*] Exiting"); return; } } //// Handling Internal Parameters //// if (newchild) { const uint NORMAL_PRIORITY_CLASS = 0x0020; Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION(); Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO(); Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES(); Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES(); pSec.nLength = Marshal.SizeOf(pSec); tSec.nLength = Marshal.SizeOf(tSec); string currentbin = System.Reflection.Assembly.GetEntryAssembly().Location; //run the simulation agent WinAPI.CreateProcess(null, currentbin + " /s", ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo); return; } if (scoutservice) { NamedPipes.RunScoutService(scout_np, simulator_np, log); return; } if (simservice) { string[] options = NamedPipes.RunSimulationService(simulator_np, log); ExecuteTechniques(options[0], nusers, nhosts, Int32.Parse(options[1]), Int32.Parse(options[2]), log, bool.Parse(options[3])); return; } //// Handling User Parameters //// if (navigator) { if (nav_action.Equals("export")) { try { Console.WriteLine("[+] PurpleSharp supports " + supported_techniques.Count() + " unique ATT&CK techniques."); Console.WriteLine("[+] Generating an ATT&CK Navigator layer..."); Json.ExportAttackLayer(supported_techniques.Distinct().ToArray()); Console.WriteLine("[!] Open PurpleSharp.json on https://mitre-attack.github.io/attack-navigator"); return; } catch { Console.WriteLine("[!] Error generating JSON layer..."); Console.WriteLine("[!] Exitting..."); return; } } else if (nav_action.Equals("import")) { Console.WriteLine("[+] Loading {0}", navfile); string json = File.ReadAllText(navfile); NavigatorLayer layer = Json.ReadNavigatorLayer(json); Console.WriteLine("[!] Loaded attack navigator '{0}'", layer.name); Console.WriteLine("[+] Converting ATT&CK navigator Json..."); SimulationExercise engagement = Json.ConvertNavigatorToSimulationExercise(layer, supported_techniques.Distinct().ToArray()); Json.CreateSimulationExercise(engagement); Console.WriteLine("[!] Done"); Console.WriteLine("[+] Open simulation.json"); return; } else { Console.WriteLine("[!] Didnt recognize parameter..."); Console.WriteLine("[!] Exitting..."); return; } } if (scout && !scout_action.Equals("")) { if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals("")) { if (rpwd == "") { Console.Write("Password for {0}\\{1}: ", domain, ruser); rpwd = Utils.GetPassword(); Console.WriteLine(); } if (!rhost.Equals("random")) { Scout(rhost, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose); return; } else if (!dc.Equals("")) { List <Computer> targets = new List <Computer>(); targets = Ldap.GetADComputers(10, dc, ruser, rpwd); if (targets.Count > 0) { Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count); var random = new Random(); int index = random.Next(targets.Count); Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn); Scout(targets[index].ComputerName, domain, ruser, rpwd, scoutfpath, log, scout_action, scout_np, verbose); return; } else { Console.WriteLine("[!] Could not obtain targets for the simulation"); return; } } else { Console.WriteLine("[*] Missing parameters :( "); Console.WriteLine("[*] Exiting"); return; } } else { Console.WriteLine("[*] Missing parameters :( "); Console.WriteLine("[*] Exiting"); return; } } if (!pb_file.Equals("")) { string json = File.ReadAllText(pb_file); SimulationExercise engagement = Json.ReadSimulationPlaybook(json); if (engagement != null) { Console.Write("Submit Password for {0}\\{1}: ", engagement.domain, engagement.username); string pass = Utils.GetPassword(); Console.WriteLine("[+] PurpleSharp will execute {0} playbook(s)", engagement.playbooks.Count); SimulationExerciseResult engagementResults = new SimulationExerciseResult(); engagementResults.playbookresults = new List <SimulationPlaybookResult>(); SimulationPlaybook lastPlaybook = engagement.playbooks.Last(); foreach (SimulationPlaybook playbook in engagement.playbooks) { SimulationPlaybookResult playbookResults = new SimulationPlaybookResult(); playbookResults.taskresults = new List <PlaybookTaskResult>(); playbookResults.name = playbook.name; playbookResults.host = playbook.host; Console.WriteLine("[+] Starting Execution of {0}", playbook.name); PlaybookTask lastTask = playbook.tasks.Last(); List <string> techs = new List <string>(); foreach (PlaybookTask task in playbook.tasks) { techs.Add(task.technique); } string techs2 = String.Join(",", techs); if (playbook.host.Equals("random")) { List <Computer> targets = Ldap.GetADComputers(10, engagement.dc, engagement.username, pass); if (targets.Count > 0) { Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count); var random = new Random(); int index = random.Next(targets.Count); Console.WriteLine("[+] Picked random host for simulation: " + targets[index].Fqdn); Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, targets[index].Fqdn); playbookResults = ExecuteRemoteTechniquesJson(targets[index].Fqdn, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false); playbookResults.name = playbook.name; } else { Console.WriteLine("[!] Could not obtain targets for the simulation"); } } else { Console.WriteLine("[+] Executing techniques {0} against {1}", techs2, playbook.host); playbookResults = ExecuteRemoteTechniquesJson(playbook.host, engagement.domain, engagement.username, pass, techs2, playbook.pbsleep, playbook.tsleep, playbook.scoutfpath, scout_np, playbook.simrpath, log, true, false); playbookResults.name = playbook.name; } if (engagement.sleep > 0 && !playbook.Equals(lastPlaybook)) { Console.WriteLine(); Console.WriteLine("[+] Sleeping {0} minutes until next playbook...", engagement.sleep); Thread.Sleep(1000 * engagement.sleep * 60); } engagementResults.playbookresults.Add(playbookResults); } Console.WriteLine("Writting JSON results..."); string output_file = pb_file.Replace(".json", "") + "_results.json"; Json.WriteJsonPlaybookResults(engagementResults, output_file); Console.WriteLine("DONE. Open " + output_file); Console.WriteLine(); return; } else { Console.WriteLine("[!] Could not parse JSON input."); Console.WriteLine("[*] Exiting"); return; } } if (remote) { if (!rhost.Equals("") && !domain.Equals("") && !ruser.Equals("") && !techniques.Equals("")) { if (rpwd == "") { Console.Write("Password for {0}\\{1}: ", domain, ruser); rpwd = Utils.GetPassword(); Console.WriteLine(); } if (!rhost.Equals("random")) { ExecuteRemoteTechniques(rhost, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup); return; } else if (!dc.Equals("")) { List <Computer> targets = new List <Computer>(); targets = Ldap.GetADComputers(10, dc, ruser, rpwd); if (targets.Count > 0) { Console.WriteLine("[+] Obtained {0} possible targets.", targets.Count); var random = new Random(); int index = random.Next(targets.Count); Console.WriteLine("[+] Picked Random host for simulation: " + targets[index].Fqdn); ExecuteRemoteTechniques(targets[index].Fqdn, domain, ruser, rpwd, techniques, pbsleep, tsleep, scoutfpath, scout_np, simrpath, simulator_np, log, opsec, verbose, cleanup); return; } else { Console.WriteLine("[!] Could not obtain targets for the simulation"); return; } } else { Console.WriteLine("[*] Missing dc :( "); Console.WriteLine("[*] Exiting"); return; } } else { Console.WriteLine("[*] Missing parameters :( "); Console.WriteLine("[*] Exiting"); return; } } // running simulations locally else if (!techniques.Equals("")) { ExecuteTechniques(techniques, nusers, nhosts, pbsleep, tsleep, log, cleanup); } }
public IPCProcess(NamedPipes.NamedPipeInitialisation initArgs) : this(initArgs, new NamedPipes.NamedPipeServer(), new NamedPipes.NamedPipeClient()) { }