예제 #1
0
        public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
        {
            // techniques that need to be executed from a high integrity process
            string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };

            if (rpwd == "")
            {
                Console.Write("Password for {0}\\{1}: ", domain, ruser);
                rpwd = Utils.GetPassword();
                Console.WriteLine();
            }

            string uploadPath  = System.Reflection.Assembly.GetEntryAssembly().Location;
            int    index       = scoutfpath.LastIndexOf(@"\");
            string scoutFolder = scoutfpath.Substring(0, index + 1);

            System.Threading.Thread.Sleep(3000);

            if (opsec)
            {
                string result = "";
                string args   = "/o";

                Console.WriteLine("[+] Uploading and executing the Scout on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
                RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
                Console.WriteLine("[+] Connecting to the Scout ...");

                result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
                if (result.Equals("SYN/ACK"))
                {
                    Console.WriteLine("[+] OK");

                    if (privileged_techniques.Contains(techniques.ToUpper()))
                    {
                        result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
                    }
                    else
                    {
                        result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
                    }

                    string[] payload = result.Split(',');
                    string   duser   = payload[0];


                    if (duser == "")
                    {
                        Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
                        Thread.Sleep(1000);
                        RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                        RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
                        Console.WriteLine("[!] Exitting.");
                        return;
                    }
                    else
                    {
                        string user = duser.Split('\\')[1];
                        //Console.WriteLine("[+] Sending simulator binary...");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
                        //Console.WriteLine("[+] Sending technique ...");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
                        //Console.WriteLine("[+] Sending opsec techqniue...");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
                        //Console.WriteLine("[+] Sending sleep...");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
                        if (cleanup)
                        {
                            NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
                        }
                        else
                        {
                            NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:False");
                        }


                        Console.WriteLine("[!] Recon -> " + String.Format("Identified logged user: {0}", duser));
                        string simfpath   = "C:\\Users\\" + user + "\\" + simrpath;
                        int    index2     = simrpath.LastIndexOf(@"\");
                        string simrfolder = simrpath.Substring(0, index2 + 1);

                        string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;

                        Console.WriteLine("[+] Uploading Simulation agent to " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
                        RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);

                        Console.WriteLine("[+] Triggering simulation using PPID Spoofing | Process: {0}.exe | PID: {1} | High Integrity: {2}", payload[1], payload[2], payload[3]);
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");

                        if (verbose)
                        {
                            Console.WriteLine("[+] Grabbing the Scout output...");
                            System.Threading.Thread.Sleep(1000);
                            string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
                            Console.WriteLine("[+] Results:");
                            Console.WriteLine();
                            Console.WriteLine(sresults);
                        }
                        Thread.Sleep(5000);
                        bool   finished = false;
                        int    counter  = 1;
                        string results  = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
                        while (finished == false)
                        {
                            if (results.Split('\n').Last().Contains("Playbook Finished"))
                            {
                                //Console.WriteLine("[+] Obtaining the Simulation Agent output...");
                                Console.WriteLine("[+] Results:");
                                Console.WriteLine();
                                Console.WriteLine(results);
                                Console.WriteLine();
                                Console.WriteLine("[+] Cleaning up...");
                                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                                RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
                                RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
                                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
                                RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
                                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (simfolder + log).Replace(":", "$"));
                                RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
                                finished = true;
                            }
                            else
                            {
                                Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
                                Thread.Sleep(counter * 10 * 1000);
                                results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
                            }
                            counter += 1;
                        }
                    }
                }
                else
                {
                    Console.WriteLine("[!] Could not connect to namedpipe service");
                    Console.WriteLine("[!] Exitting.");
                    return;
                }
            }
            else
            {
                Console.WriteLine("[+] Uploading and executing the Simulation agent on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
                RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd);
                Thread.Sleep(2000);
                if (cleanup)
                {
                    NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
                }
                else
                {
                    NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");
                }

                Thread.Sleep(5000);
                bool   finished = false;
                int    counter  = 1;
                string results  = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
                while (finished == false)
                {
                    if (results.Split('\n').Last().Contains("Playbook Finished"))
                    {
                        Console.WriteLine("[+] Obtaining results...");
                        Console.WriteLine("[+] Results:");
                        Console.WriteLine();
                        Console.WriteLine(results);
                        Console.WriteLine();
                        Console.WriteLine("[+] Cleaning up...");
                        Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                        RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                        Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
                        RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
                        finished = true;
                    }
                    else
                    {
                        Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
                        Thread.Sleep(counter * 10 * 1000);
                        results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
                    }
                    counter += 1;
                }
            }
        }
예제 #2
0
        public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string log, bool opsec, bool verbose)
        {
            // techniques that need to be executed from a high integrity process
            string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };

            string uploadPath  = System.Reflection.Assembly.GetEntryAssembly().Location;
            int    index       = scoutfpath.LastIndexOf(@"\");
            string scoutFolder = scoutfpath.Substring(0, index + 1);

            Thread.Sleep(3000);

            if (opsec)
            {
                string result = "";
                string args   = "/o";

                //Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
                RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);

                //Console.WriteLine("[+] Executing the Scout via WMI ...");
                RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
                //Console.WriteLine("[+] Connecting to namedpipe service ...");

                result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
                if (result.Equals("SYN/ACK"))
                {
                    //Console.WriteLine("[+] OK");

                    if (privileged_techniques.Contains(techniques.ToUpper()))
                    {
                        result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
                    }
                    else
                    {
                        result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
                    }

                    string[] payload = result.Split(',');
                    string   duser   = payload[0];


                    if (duser == "")
                    {
                        Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
                        Thread.Sleep(1000);
                        RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                        RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
                        //Console.WriteLine("[!] Exitting.");
                        return(null);
                    }
                    else
                    {
                        string user = duser.Split('\\')[1];
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");


                        string simfpath   = "C:\\Users\\" + user + "\\" + simrpath;
                        int    index2     = simrpath.LastIndexOf(@"\");
                        string simrfolder = simrpath.Substring(0, index2 + 1);

                        string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;

                        //Console.WriteLine("[+] Uploading Simulation agent to " + simfpath);
                        RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);

                        //Console.WriteLine("[+] Triggering simulation...");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
                        NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");

                        System.Threading.Thread.Sleep(5000);
                        bool   finished = false;
                        int    counter  = 1;
                        string results  = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
                        while (finished == false)
                        {
                            if (results.Split('\n').Last().Contains("Playbook Finished"))
                            {
                                Console.WriteLine("[+] Results:");
                                Console.WriteLine();
                                Console.WriteLine(results);
                                Console.WriteLine();
                                RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                                RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
                                RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
                                RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
                                finished = true;
                            }
                            else
                            {
                                Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
                                Thread.Sleep(counter * 10 * 1000);
                                results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
                            }
                            counter += 1;
                        }
                        return(Json.GetPlaybookResult(results));
                    }
                }
                else
                {
                    //Console.WriteLine("[!] Could not connect to namedpipe service");
                    return(null);
                }
            }
            else
            {
                //Console.WriteLine("[+] Uploading PurpleSharp to {0} on {1}", scoutfpath, rhost);
                RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);

                string cmdline = "/t " + techniques;
                //Console.WriteLine("[+] Executing PurpleSharp via WMI ...");
                RemoteLauncher.wmiexec(rhost, scoutfpath, cmdline, domain, ruser, rpwd);
                Thread.Sleep(3000);
                Console.WriteLine("[+] Obtaining results...");
                string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
                Console.WriteLine("[+] Results:");
                Console.WriteLine();
                Console.WriteLine(results);
                //Console.WriteLine("[+] Cleaning up...");
                //Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                //
                //Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
                RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);

                return(Json.GetPlaybookResult(results));
            }
        }
예제 #3
0
        public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose)
        {
            List <String> actions = new List <string>()
            {
                "all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline"
            };

            if (!actions.Contains(scout_action))
            {
                Console.WriteLine("[*] Not supported.");
                Console.WriteLine("[*] Exiting");
                return;
            }
            if (rpwd == "")
            {
                Console.Write("Password for {0}\\{1}: ", domain, ruser);
                rpwd = Utils.GetPassword();
                Console.WriteLine();
            }
            string uploadPath  = System.Reflection.Assembly.GetEntryAssembly().Location;
            int    index       = scoutfpath.LastIndexOf(@"\");
            string scoutFolder = scoutfpath.Substring(0, index + 1);
            string args        = "/o";

            Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
            RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);

            Console.WriteLine("[+] Executing the Scout via WMI ...");
            RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
            Console.WriteLine("[+] Connecting to the Scout ...");

            string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");

            if (result.Equals("SYN/ACK"))
            {
                Console.WriteLine("[+] OK");
                string results;

                if (scout_action.Equals("all"))
                {
                    string temp;

                    temp    = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef");
                    results = Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    temp     = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws");
                    results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    temp     = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline");
                    results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    temp     = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps");
                    results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    temp     = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs");
                    results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    temp     = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol");
                    results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));

                    NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
                }
                else
                {
                    results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action);
                    results = Encoding.UTF8.GetString(Convert.FromBase64String(results));
                    NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
                }
                if (verbose)
                {
                    Console.WriteLine("[+] Grabbing the Scout output...");
                    System.Threading.Thread.Sleep(1000);
                    string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
                    Console.WriteLine("[+] Results:");
                    Console.WriteLine();
                    Console.WriteLine(sresults);
                }
                Console.WriteLine("[+] Scout Results...");
                Console.WriteLine();
                Console.WriteLine(results);
                Console.WriteLine();
                Console.WriteLine("[+] Cleaning up...");
                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
                RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
                Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
                RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
            }
        }