private static bool HaveAccessToServer(ServerConfig server)
{
Logger.Info(string.Format("Checking if WMI can be used to reach remote server [{0}]...", server.Name));
var success = false;
try
{
var registry = new RemoteRegistry(server.Name, server.DeploymentUser.UserName, server.DeploymentUser.Password);
string windowsName;
success = registry.TryGetStringValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\Windows NT\CurrentVersion", "ProductName", out windowsName);
if (success)
{
Logger.Info(string.Format("Contact was made with server [{0}] using WMI. Server is {1}.", server.Name, windowsName));
}
else
{
Logger.Error(string.Format("Unable to reach server [{0}] using WMI", server.Name));
}
}
catch (UnauthorizedAccessException accessException)
{
Logger.Error(string.Format("Unable to access remote server [{0}] using WMI. Unauthorized Access Exception reported. Please check your credentials.", server.Name), accessException);
return(false);
}
catch (Exception ex)
{
Logger.Error(string.Format("Unable to access remote server [{0}] using WMI.", server.Name), ex);
return(false);
}
return(success);
}
// Launch specified attack
public static void LaunchAttack(string attackType)
{
switch (attackType)
{
case "1":
DiscoveryChoice.Selections();
break;
case "2":
Delivery.PowerShell.DownloadFile();
break;
case "3":
Execution.WMIDeployment.Deploy();
break;
case "4":
Command_and_Control.ReverseTCPShell.Control();
break;
case "5":
RemoteRegistry.RegModification(Exfiltration.SaveLocations.NekoFolder, GetDomainInfo.DomainURL, DomainAuthentication.Username, DomainAuthentication.Password);
break;
case "6":
Credential_Access.Selections.EnableWDigest();
Credential_Access.Selections.SaveSAMSecurity();
break;
}
}
public MatrixAgent()
{
Registry = new RemoteRegistry();
Configuration = new RemoteConfigurator();
Directory = new RemoteDirectory();
Logger = new RemoteLogger();
Gateway = new RemoteGateway();
}
public async Task <RemotePackageInfo> CachedQueryRemotePackage(Identifier id)
{
if (remotePackQueryCache.ContainsKey(id))
{
return(remotePackQueryCache[id]);
}
else
{
var result = await RemoteRegistry.QueryPackage(this, id);
remotePackQueryCache.Add(id, result);
return(result);
}
}
private static bool HaveNet40(ServerConfig server)
{
try
{
Logger.Info(string.Format("Checking if WMI can be used to check if .NET Framework 4.0 is installed on server [{0}]...", server.Name));
var registry = new RemoteRegistry(server.Name, server.DeploymentUser.UserName, server.DeploymentUser.Password);
int dotNet40Installed;
var success = registry.TryGetDWordValue(RegistryHive.LocalMachine, @"SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full", "Install", out dotNet40Installed);
if (!success || dotNet40Installed != 1)
{
Logger.Error(string.Format("Missing Microsoft .NET Framework version 4.0 on [{0}].", server.Name));
return(false);
}
Logger.Info(string.Format("Microsoft .NET Framework version 4.0 is installed on server [{0}].", server.Name));
return(true);
}
catch (Exception ex)
{
Logger.Error(string.Format("Unable to access remote server to check for .NET Framework 4.0 on server [{0}] using WMI.", server.Name), ex);
return(false);
}
}
public static bool Options(string DiscoverySelection)
{
// Local machine recon
if (DiscoverySelection == "1")
{
Console.WriteLine("\r\n" +
"Conduct local system discovery? Enter 'y' or 'n' or 'exit':");
string localRecon = Console.ReadLine();
while (localRecon != "y" && localRecon != "n")
{
Console.WriteLine("\r\n" +
"Invalid selection. Do you want to do network discovery via LDAP? Enter 'y' or 'n':");
localRecon = Console.ReadLine();
}
// Conduct local recon
if (localRecon == "y")
{
LocalMachineRecon.LocalMachine(Exfiltration.SaveLocations.NekoFolder);
}
// Check if user wants to do additional discovery
ContinueDiscovery();
if (conductAdditionalDisocvery == "y")
{
Selections();
}
else
{
return(true);
}
}
// Domain recon via LDAP
else if (DiscoverySelection == "2")
{
// See if user wants to do LDAP searching
Console.WriteLine("\r\n" +
"Do you want to do domain recon via LDAP? Enter 'y' or 'n':");
string ldapQueries = Console.ReadLine();
while (ldapQueries != "y" && ldapQueries != "n")
{
Console.WriteLine("\r\n" +
"Invalid selection. Do you want to do network recon via LDAP? Enter 'y' or 'n':");
ldapQueries = Console.ReadLine();
}
// If user opts to run ldap queries
if (ldapQueries == "y")
{
Discovery.LDAP.Information();
}
// Check if user wants to do additional discovery
ContinueDiscovery();
if (conductAdditionalDisocvery == "y")
{
Selections();
}
else
{
return(true);
}
}
// Network IP recon with option of WMI
else if (DiscoverySelection == "3")
{
// Get type of scan
var scanType = UserScanSelection.ScanSelection();
// Conduct scan
Discovery.PortScanning.PortChoices.Selections();
// Get WMI User Info
if (scanType == "1")
{
Console.WriteLine("\r\n" +
"This process typically requires Domain Admin credentials, does " + DomainAuthentication.Username + " have sufficient credentials? Enter 'y' or 'n':");
string hasDomainAdmin = Console.ReadLine();
while (hasDomainAdmin != "y" && hasDomainAdmin != "n")
{
Console.WriteLine("\r\n" +
"Invalid selection. This process requires Domain Admin credentials, proceed? Enter 'y' or 'n':");
hasDomainAdmin = Console.ReadLine();
}
if (hasDomainAdmin == "n")
{
Console.WriteLine("\r\n" +
"Enter user name:");
DomainAuthentication.Username = Console.ReadLine();
Console.WriteLine("\r\n" +
"Enter password:"******"")
{
Console.WriteLine("\r\n" +
"Enter network domain:");
GetDomainInfo.DomainURL = Console.ReadLine();
}
// If ldap querying was done, confirms they want to use the same domain
else
{
Console.WriteLine("\r\n" +
"The domain selected for LDAP recon was: " + GetDomainInfo.DomainURL + " Would you like to continue using this domain? Enter 'y' or 'n':");
string domainConfirmation = Console.ReadLine();
while (domainConfirmation != "y" && domainConfirmation != "n")
{
Console.WriteLine("\r\n" +
"Invalid selection. The domain selected for LDAP recon was: " + GetDomainInfo.DomainURL + " Would you like to continue using this domain? Enter 'y' or 'n':");
domainConfirmation = Console.ReadLine();
}
// If they select n, they're prompted for a different domain
if (domainConfirmation == "n")
{
Console.WriteLine("Please enter new domain to use:");
GetDomainInfo.DomainURL = Console.ReadLine();
}
}
}
// Check if user wants to do additional discovery
ContinueDiscovery();
if (conductAdditionalDisocvery == "y")
{
Selections();
}
else
{
return(true);
}
}
else if (DiscoverySelection == "4")
{
RemoteRegistry.RegQuery(Exfiltration.SaveLocations.NekoFolder, GetDomainInfo.DomainURL, DomainAuthentication.Username, DomainAuthentication.Password);
// Check if user wants to do additional discovery
ContinueDiscovery();
if (conductAdditionalDisocvery == "y")
{
Selections();
}
else
{
return(true);
}
}
return(false);
}
public static void ScanNode(ScanTask task)
{
task.Node[Constants.StatusColumnName] = null;
if (!task.Node.ContainsKey(Constants.IpColumnName) || !(task.Node[Constants.IpColumnName] is IPAddress))
{
throw new ArgumentException("Node doesn't contain ip adress!");
}
var ip = (IPAddress)task.Node[Constants.IpColumnName];
bool isOnline = NetTools.IsOnline(ip);
if (isOnline || ConfigurationManager.Configuration.ScanningOptions.ScanOfflineHost)
{
try
{
Dns.Resolve(ip, task.Node);
}
catch
{
// do nothing by desing
}
try
{
RemoteArp.GetInfo(ip, task.Node);
}
catch
{
// do nothing by desing
}
try
{
RemoteNetBios.GetInfo(ip, 137, task.Node);
}
catch
{
// do nothing by desing
}
try
{
RemoteRegistry.GetInfo(ip, task.Node);
}
catch
{
// do nothing by desing
}
try
{
RemoteSnmp.GetAllInfo(ip, task.Node);
}
catch
{
// do nothing by desing
}
try
{
RemoteWmi.GetInfo(ip, task.Node);
}
catch
{
// do nothing by desing
}
}
task.Node[Constants.StatusColumnName] = isOnline;
}
