public static List <User> GetUserTargets(PlaybookTask playbook_task, Logger logger)
{
PrincipalContext context;
string dc;
List <User> targetusers = new List <User>();
switch (playbook_task.user_target_type)
{
case 1:
logger.TimestampInfo("Targeting playbook defined users");
foreach (string user in playbook_task.user_targets)
{
User nuser = new User(user);
targetusers.Add(nuser);
}
break;
case 2:
context = new PrincipalContext(ContextType.Domain);
dc = context.ConnectedServer;
logger.TimestampInfo("Targeting random domain users");
targetusers = Ldap.GetADUsers(playbook_task.user_target_total, logger, dc, true);
logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));
break;
case 3:
logger.TimestampInfo("Targeting randomly generated users");
targetusers = Targets.GetRandomUsernames(playbook_task.user_target_total, new Random());
break;
case 4:
logger.TimestampInfo("Targeting administrative accounts (adminCount=1) ");
targetusers = Ldap.GetADAdmins(playbook_task.user_target_total, logger);
logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));
break;
case 5:
logger.TimestampInfo("Targeting domain admins");
targetusers = Ldap.GetDomainAdmins(logger);
logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));
break;
case 6:
context = new PrincipalContext(ContextType.Domain);
dc = context.ConnectedServer;
logger.TimestampInfo("Targeting disabled users");
targetusers = Ldap.GetADUsers(playbook_task.user_target_total, logger, dc, false);
logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));
break;
default:
return(targetusers);
}
return(targetusers);
}
public static List <Computer> GetDomainRandomTargets(int count, Logger logger)
{
List <Computer> targets = new List <Computer>();
logger.TimestampInfo("Obtaining domain random targets ...");
targets = Ldap.GetADComputers(count, logger);
return(targets);
}
public static List <Computer> GetDomainNeighborTargets(int count, Logger logger)
{
List <Computer> targets = new List <Computer>();
PrincipalContext context = new PrincipalContext(ContextType.Domain);
string dc = context.ConnectedServer;
logger.TimestampInfo("Obtaining domain neighbor targets ...");
targets = Ldap.GetADComputers(count, logger, dc);
//Console.WriteLine("[*] Finished");
return(targets);
}
public static List <User> GetDomainAdmins(Lib.Logger logger)
{
List <User> lstDas = new List <User>();
PrincipalContext PC = new PrincipalContext(ContextType.Domain);
logger.TimestampInfo("Querying for active Domain Admins ..");
GroupPrincipal GP = GroupPrincipal.FindByIdentity(PC, "Domain Admins");
foreach (UserPrincipal member in GP.Members)
{
if (member.Enabled == true)
{
User user = new User();
user.UserName = member.SamAccountName;
user.DisplayName = member.DisplayName;
lstDas.Add(user);
}
}
return(lstDas);
}
public static SimulationPlaybook RunSimulationServiceSerialized(string npipe, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
SimulationPlaybook playbook = new SimulationPlaybook();
try
{
//https://helperbyte.com/questions/171742/how-to-connect-to-a-named-pipe-without-administrator-rights
PipeSecurity ps = new PipeSecurity();
ps.SetAccessRule(new PipeAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), PipeAccessRights.ReadWrite, AccessControlType.Allow));
//logger.TimestampInfo("starting Simulator!");
using (var pipeServer = new NamedPipeServerStream(npipe, PipeDirection.InOut, 1, PipeTransmissionMode.Message, PipeOptions.Asynchronous, 4028, 4028, ps))
{
SimulationResponse sim_response;
//logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
//logger.TimestampInfo("Client connected.");
var messageBytes = ReadMessage(pipeServer);
var line = Encoding.UTF8.GetString(messageBytes);
//logger.TimestampInfo("Received from client: " + line);
SimulationRequest sim_request = JsonConvert.DeserializeObject <SimulationRequest>(line);
playbook = sim_request.playbook;
sim_response = new SimulationResponse("ACK");
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
//logger.TimestampInfo("Replied to client: " + Encoding.UTF8.GetString(bytes_sim_response));
pipeServer.Disconnect();
return(playbook);
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.Message);
return(playbook);
}
}
public static List <User> GetADAdmins(int count, Lib.Logger logger)
{
DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE");
string defaultNamingContext = (String)rootDSE.Properties["defaultNamingContext"].Value;
List <User> lstDas = new List <User>();
string DomainPath = "LDAP://" + defaultNamingContext;
DirectoryEntry searchRoot = new DirectoryEntry(DomainPath);
DirectorySearcher search = new DirectorySearcher(searchRoot);
//search.Filter = "(&(objectCategory=person)(objectClass=user)(adminCount=1)(badPwdCount<=3)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
search.Filter = "(&(objectCategory=person)(objectClass=user)(adminCount=1)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
search.SizeLimit = count * 5;
SearchResult result;
logger.TimestampInfo("Querying for active administrative users (adminCount=1) ..");
SearchResultCollection resultCol = search.FindAll();
if (resultCol != null)
{
for (int counter = 0; counter < resultCol.Count; counter++)
{
string UserNameEmailString = string.Empty;
result = resultCol[counter];
if (result.Properties.Contains("samaccountname"))
{
User objSurveyUsers = new User();
//Console.WriteLine((String)result.Properties["samaccountname"][0]);
objSurveyUsers.UserName = (String)result.Properties["samaccountname"][0];
//objSurveyUsers.DisplayName = (String)result.Properties["displayname"][0];
lstDas.Add(objSurveyUsers);
}
}
}
return(lstDas.OrderBy(arg => Guid.NewGuid()).Take(count).ToList());
}
public static List <User> GetADUsers(int count, Lib.Logger logger, string dc = "", bool Enabled = true)
{
try
{
DateTime dt = DateTime.Now.AddDays(-7);
long ftAccountExpires = dt.ToFileTime();
DirectorySearcher search = new DirectorySearcher();
DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE");
string defaultNamingContext = (String)rootDSE.Properties["defaultNamingContext"].Value;
if (dc == "")
{
List <Computer> Dcs = GetDcs();
Random random = new Random();
int index = random.Next(Dcs.Count);
logger.TimestampInfo(String.Format("Randomly Picked DC for LDAP queries {0}", Dcs[index].ComputerName));
DirectoryEntry searchRoot = new DirectoryEntry("LDAP://" + Dcs[index].Fqdn);
search = new DirectorySearcher(searchRoot);
}
else
{
logger.TimestampInfo(String.Format("Using LogonServer {0} for LDAP queries", dc));
DirectoryEntry searchRoot = new DirectoryEntry("LDAP://" + dc);
search = new DirectorySearcher(searchRoot);
}
List <User> lstADUsers = new List <User>();
string DomainPath = "LDAP://" + defaultNamingContext;
// (!(userAccountControl:1.2.840.113556.1.4.803:=2)) - get active users only
// badPwdCount<=3 minimize the risk of locking accounts
if (Enabled)
{
search.Filter = "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
}
//if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(lastLogon>=" + ftAccountExpires.ToString() + ")(badPwdCount<=3)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
//if (Enabled) search.Filter = "(&(objectCategory=person)(objectClass=user)(lastLogon>=" + ftAccountExpires.ToString() + ")(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
else
{
search.Filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))";
}
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("usergroup");
search.PropertiesToLoad.Add("displayname");
search.SizeLimit = count * 5;
SearchResult result;
if (Enabled)
{
logger.TimestampInfo("Querying for active domain users with badPwdCount <= 3..");
}
else
{
logger.TimestampInfo("Querying for disabled domain users ..");
}
SearchResultCollection resultCol = search.FindAll();
if (resultCol != null)
{
for (int counter = 0; counter < resultCol.Count; counter++)
{
string UserNameEmailString = string.Empty;
result = resultCol[counter];
if (result.Properties.Contains("samaccountname") && result.Properties.Contains("displayname"))
{
User objSurveyUsers = new User();
objSurveyUsers.UserName = (String)result.Properties["samaccountname"][0];
objSurveyUsers.DisplayName = (String)result.Properties["displayname"][0];
lstADUsers.Add(objSurveyUsers);
}
}
}
return(lstADUsers.OrderBy(arg => Guid.NewGuid()).Take(count).ToList());
}
catch (Exception ex)
{
Console.WriteLine(ex);
return(null);
}
}
public static List <Computer> GetADComputers(int count, Lib.Logger logger, string dc = "", string username = "", string password = "")
{
DateTime dt = DateTime.Now.AddDays(-1);
long ftAccountExpires = dt.ToFileTime();
DirectorySearcher search = new DirectorySearcher();
if (dc == "")
{
List <Computer> Dcs = GetDcs();
Random random = new Random();
int index = random.Next(Dcs.Count);
logger.TimestampInfo(String.Format("Randomly Picked DC for LDAP queries {0}", Dcs[index].ComputerName));
DirectoryEntry searchRoot = new DirectoryEntry();
if (!username.Equals("") && !password.Equals(""))
{
searchRoot = new DirectoryEntry("LDAP://" + Dcs[index].Fqdn, username, password);
}
else
{
searchRoot = new DirectoryEntry("LDAP://" + Dcs[index].Fqdn);
}
search = new DirectorySearcher(searchRoot);
}
else
{
logger.TimestampInfo(String.Format("Using {0} for LDAP queries", dc));
DirectoryEntry searchRoot = new DirectoryEntry();
if (!username.Equals("") && !password.Equals(""))
{
searchRoot = new DirectoryEntry("LDAP://" + dc, username, password);
}
else
{
searchRoot = new DirectoryEntry("LDAP://" + dc);
}
search = new DirectorySearcher(searchRoot);
}
List <Computer> lstADComputers = new List <Computer>();
search.Filter = "(&(objectClass=computer)(lastLogon>=" + ftAccountExpires.ToString() + "))";
search.PropertiesToLoad.Add("samaccountname");
search.PropertiesToLoad.Add("Name");
search.PropertiesToLoad.Add("DNSHostname");
search.SizeLimit = count * 5;
SearchResult result;
SearchResultCollection resultCol = search.FindAll();
if (resultCol != null)
{
//Console.WriteLine("Initial query obtained " + resultCol.Count.ToString() + " records;");
List <Task> tasklist = new List <Task>();
for (int counter = 0; counter < resultCol.Count; counter++)
{
try
{
result = resultCol[counter];
if (result.Properties.Contains("samaccountname") && result.Properties.Contains("DNSHostname"))
{
string Name = (String)result.Properties["Name"][0];
string dnshostname = (String)result.Properties["DNSHostname"][0];
if (!Name.ToUpper().Contains(Environment.MachineName.ToUpper()))
{
tasklist.Add(Task.Factory.StartNew(() =>
{
//TODO: Firewalls may block ping. Instead of pinging, i should should resolve.
//Console.WriteLine("[+] Trying to ping {0}", dnshostname);
string ipv4 = PurpleSharp.Lib.Networking.PingHost(dnshostname);
if (ipv4 != "")
{
TimeSpan interval = TimeSpan.FromSeconds(3);
if (PurpleSharp.Lib.Networking.OpenPort(ipv4, 445, interval))
{
Computer newhost = new Computer();
newhost.ComputerName = Name;
newhost.IPv4 = ipv4;
newhost.Fqdn = dnshostname;
lstADComputers.Add(newhost);
}
}
}));
}
}
}
catch
{
continue;
}
}
Task.WaitAll(tasklist.ToArray());
}
return(lstADComputers.OrderBy(arg => Guid.NewGuid()).Take(count).ToList());
}
public static void RunScoutServiceSerialized(string scout_np, string simulator_np, string log)
{
//Based on https://github.com/malcomvetter/NamedPipes
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
bool running = true;
bool privileged = false;
string duser, simulator_full_path, user, simulator_binary;
duser = simulator_full_path = user = simulator_binary = "";
Process parentprocess = null;
SimulationPlaybook PlaybookForSimulator = null;
Thread.Sleep(1500);
try
{
using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
{
logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
while (running)
{
SimulationResponse sim_response;
logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
logger.TimestampInfo("Client connected.");
var messageBytes = ReadMessage(pipeServer);
var line = Encoding.UTF8.GetString(messageBytes);
logger.TimestampInfo("Received from client: " + line);
SimulationRequest sim_request = JsonConvert.DeserializeObject <SimulationRequest>(line);
ScoutResponse scout_response = null;
// Scout recon actions
if (sim_request.header.Equals("SCT"))
{
logger.TimestampInfo("Received SCT");
switch (sim_request.recon_type)
{
case "auditpol":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
break;
case "wef":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetWefSettings())));
break;
case "pws":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
break;
case "ps":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetProcs())));
break;
case "svcs":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetServices())));
break;
case "cmdline":
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
break;
case "all":
string results = Recon.GetAuditPolicy() + "\n" + Recon.GetWefSettings() + "\n" + Recon.GetPwsLoggingSettings() + "\n" + Recon.GetProcs() + "\n" + Recon.GetServices() + "\n" + Recon.GetCmdlineAudittingSettings();
scout_response = new ScoutResponse(Convert.ToBase64String(Encoding.ASCII.GetBytes(results)));
break;
default:
break;
}
sim_response = new SimulationResponse("SYN/ACK", null, scout_response);
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
running = false;
}
else if (sim_request.header.Equals("SYN"))
{
logger.TimestampInfo("Received SYN");
PlaybookForSimulator = sim_request.playbook;
ReconResponse recon_response;
if (sim_request.recon_type.Equals("privileged"))
{
privileged = true;
}
parentprocess = Recon.GetHostProcess(privileged);
if (parentprocess != null && Recon.GetExplorer() != null)
{
duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
recon_response = new ReconResponse(duser, parentprocess.ProcessName, parentprocess.Id.ToString(), privileged.ToString());
user = duser.Split('\\')[1];
logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
}
else
{
recon_response = new ReconResponse("", "", "", "");
logger.TimestampInfo("Recon did not identify any logged users");
}
simulator_full_path = "C:\\Users\\" + user + "\\" + sim_request.playbook.simulator_relative_path;
int index = sim_request.playbook.simulator_relative_path.LastIndexOf(@"\");
simulator_binary = sim_request.playbook.simulator_relative_path.Substring(index + 1);
sim_response = new SimulationResponse("SYN/ACK", recon_response);
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object"));
}
else if (sim_request.header.Equals("ACT"))
{
logger.TimestampInfo("Received ACT");
if (PlaybookForSimulator.opsec.Equals("ppid"))
{
logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
logger.TimestampInfo("Executing: " + simulator_full_path + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
//Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");
Launcher.SpoofParent(parentprocess.Id, simulator_full_path, simulator_binary + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");
//logger.TimestampInfo("Sending payload to Simulation Agent through namedpipe: " + "technique:" + s_payload.techniques + " pbsleep:" + s_payload.playbook_sleep + " tsleep:" + s_payload.task_sleep + " cleanup:" + s_payload.cleanup);
logger.TimestampInfo("Sending Simulation Playbook to Simulation Agent through namedpipe: " + PlaybookForSimulator.simulator_relative_path);
byte[] bytes_sim_rqeuest = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(new SimulationRequest("ACK", "", PlaybookForSimulator)));
string result = NamedPipes.RunNoAuthClientSerialized(simulator_np, bytes_sim_rqeuest);
logger.TimestampInfo("Received back from Simulator " + result);
}
sim_response = new SimulationResponse("ACK");
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
logger.TimestampInfo(String.Format("Sent SimulationResponse object 2"));
running = false;
}
else if (sim_request.header.Equals("FIN"))
{
logger.TimestampInfo("Received a FIN command");
sim_response = new SimulationResponse("ACK");
byte[] bytes_sim_response = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(sim_response));
pipeServer.Write(bytes_sim_response, 0, bytes_sim_response.Length);
running = false;
}
pipeServer.Disconnect();
}
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.ToString());
logger.TimestampInfo(ex.Message.ToString());
}
}
public static List <Computer> GetHostTargets(PlaybookTask playbook_task, Logger logger)
{
List <Computer> host_targets = new List <Computer>();
Computer host_target = new Computer();
IPAddress ipAddress = null;
bool isValidIp;
switch (playbook_task.host_target_type)
{
case 1:
if (playbook_task.host_targets.Length > 1)
{
foreach (string target in playbook_task.host_targets)
{
isValidIp = IPAddress.TryParse(target, out ipAddress);
if (isValidIp)
{
host_target = new Computer("", target);
}
else
{
host_target = new Computer(target, Networking.ResolveHostname(target).ToString());
}
host_targets.Add(host_target);
}
logger.TimestampInfo(String.Format("Using {0} targets defined in the playbook", playbook_task.host_targets.Length.ToString()));
}
else
{
isValidIp = IPAddress.TryParse(playbook_task.host_targets[0], out ipAddress);
if (isValidIp)
{
host_target = new Computer("", playbook_task.host_targets[0]);
}
else
{
host_target = new Computer(playbook_task.host_targets[0], Networking.ResolveHostname(playbook_task.host_targets[0]).ToString());
}
logger.TimestampInfo(String.Format("Using {0} {1} as the target", host_target.ComputerName, host_target.IPv4));
host_targets.Add(host_target);
}
break;
case 2:
logger.TimestampInfo("Targeting a random domain hosts");
host_targets = GetDomainNeighborTargets(playbook_task.host_target_total, logger);
logger.TimestampInfo(String.Format("Obtained {0} host records", host_targets.Count));
/*
* // Pick one random host
* var random = new Random();
* int index = random.Next(host_targets.Count);
* host_target = host_targets[index];
* logger.TimestampInfo(String.Format("Randomly picked {0} {1} as the target", host_target.ComputerName, host_target.IPv4));
* host_targets.Clear();
* host_targets.Add(host_target);
*/
break;
default:
return(host_targets);
}
return(host_targets);
}
public static List <Computer> GetHostTargets(PlaybookTask playbook_task, Logger logger)
{
List <Computer> host_targets = new List <Computer>();
Computer host_target = new Computer();
bool isValidIp;
switch (playbook_task.host_target_type)
{
case 1:
IPAddress ipAddress = null;
isValidIp = IPAddress.TryParse(playbook_task.host_targets[0], out ipAddress);
if (isValidIp)
{
host_target = new Computer("", playbook_task.host_targets[0]);
}
else
{
host_target = new Computer(playbook_task.host_targets[0], Networking.ResolveHostname(playbook_task.host_targets[0]).ToString());
}
logger.TimestampInfo(String.Format("Using {0} {1} as the target", host_target.ComputerName, host_target.IPv4));
host_targets.Add(host_target);
break;
case 2:
logger.TimestampInfo("Targeting a random domain host target");
host_targets = GetDomainNeighborTargets(playbook_task.host_target_total, logger);
logger.TimestampInfo(String.Format("Obtained {0} host records", host_targets.Count));
var random = new Random();
int index = random.Next(host_targets.Count);
host_target = host_targets[index];
logger.TimestampInfo(String.Format("Randomly picked {0} {1} as the target", host_target.ComputerName, host_target.IPv4));
host_targets.Clear();
host_targets.Add(host_target);
break;
case 3:
//TODO: This option is not needed, It can be part of case 1.
logger.TimestampInfo(String.Format("Targeting {0} hosts defined in playbook", playbook_task.host_targets.Length));
for (int i = 0; i < playbook_task.host_targets.Length; i++)
{
isValidIp = IPAddress.TryParse(playbook_task.host_targets[i], out ipAddress);
if (isValidIp)
{
host_target = new Computer("", playbook_task.host_targets[i]);
}
else
{
host_target = new Computer(playbook_task.host_targets[i], Networking.ResolveHostname(playbook_task.host_targets[i]).ToString());
}
host_targets.Add(host_target);
}
break;
case 4:
logger.TimestampInfo("Targeting random domain hosts");
host_targets = GetDomainNeighborTargets(playbook_task.host_target_total, logger);
logger.TimestampInfo(String.Format("Obtained {0} host records", host_targets.Count));
break;
default:
return(host_targets);
}
return(host_targets);
}
//Based on https://github.com/malcomvetter/NamedPipes
public static void RunScoutService(string scout_np, string simulator_np, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
bool running = true;
bool privileged = false;
string technique, opsec, simpfath, simrpath, duser, user, simbinary, cleanup;
technique = opsec = simpfath = simrpath = duser = user = simbinary = cleanup = "";
Process parentprocess = null;
int pbsleep, tsleep;
pbsleep = tsleep = 0;
System.Threading.Thread.Sleep(1500);
try
{
using (var pipeServer = new NamedPipeServerStream(scout_np, PipeDirection.InOut, NamedPipeServerStream.MaxAllowedServerInstances, PipeTransmissionMode.Message))
{
logger.TimestampInfo("Starting scout namedpipe service with PID:" + Process.GetCurrentProcess().Id);
while (running)
{
var reader = new StreamReader(pipeServer);
var writer = new StreamWriter(pipeServer);
//logger.TimestampInfo("Waiting for client connection...");
pipeServer.WaitForConnection();
//logger.TimestampInfo("Client connected!");
var line = reader.ReadLine();
logger.TimestampInfo("Received from client: " + line);
if (line.ToLower().Equals("syn"))
{
//logger.TimestampInfo("sending back to client: " + "SYN/ACK");
writer.WriteLine("SYN/ACK");
writer.Flush();
}
else if (line.ToLower().Equals("auditpol"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetAuditPolicy())));
writer.Flush();
}
else if (line.ToLower().Equals("wef"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetWefSettings())));
writer.Flush();
}
else if (line.ToLower().Equals("pws"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetPwsLoggingSettings())));
writer.Flush();
}
else if (line.ToLower().Equals("ps"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetProcs())));
writer.Flush();
}
else if (line.ToLower().Equals("svcs"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetServices())));
writer.Flush();
}
else if (line.ToLower().Equals("cmdline"))
{
writer.WriteLine(System.Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(Recon.GetCmdlineAudittingSettings())));
writer.Flush();
}
else if (line.ToLower().StartsWith("recon:"))
{
string payload = "";
if (line.Replace("recon:", "").Equals("privileged"))
{
privileged = true;
}
parentprocess = Recon.GetHostProcess(privileged);
if (parentprocess != null && Recon.GetExplorer() != null)
{
duser = Recon.GetProcessOwnerWmi(Recon.GetExplorer());
user = duser.Split('\\')[1];
logger.TimestampInfo(String.Format("Recon identified {0} logged in. Process to Spoof: {1} PID: {2}", duser, parentprocess.ProcessName, parentprocess.Id));
payload = String.Format("{0},{1},{2},{3}", duser, parentprocess.ProcessName, parentprocess.Id, privileged.ToString());
}
else
{
payload = ",,,";
logger.TimestampInfo("Recon did not identify any logged users");
}
writer.WriteLine(payload);
writer.Flush();
}
else if (line.ToLower().StartsWith("sc:"))
{
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("technique:"))
{
technique = line.Replace("technique:", "");
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("pbsleep:"))
{
pbsleep = Int32.Parse(line.Replace("pbsleep:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("tsleep:"))
{
tsleep = Int32.Parse(line.Replace("tsleep:", ""));
//logger.TimestampInfo("Got params from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("opsec:"))
{
opsec = line.Replace("opsec:", "");
//logger.TimestampInfo("Got opsec technique from client");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("cleanup:"))
{
cleanup = line.Replace("cleanup:", "");
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.ToLower().StartsWith("simrpath:"))
{
simrpath = line.Replace("simrpath:", "");
//logger.TimestampInfo("sending back to client: " + "ACK");
//simpath = "C:\\Users\\" + loggeduser + "\\Downloads\\" + simbin;
simpfath = "C:\\Users\\" + user + "\\" + simrpath;
int index = simrpath.LastIndexOf(@"\");
simbinary = simrpath.Substring(index + 1);
writer.WriteLine("ACK");
writer.Flush();
}
else if (line.Equals("act"))
{
logger.TimestampInfo("Received act!");
//logger.TimestampInfo("sending back to client: " + "ACK");
writer.WriteLine("ACK");
writer.Flush();
if (opsec.Equals("ppid"))
{
logger.TimestampInfo("Using Parent Process Spoofing technique for Opsec");
logger.TimestampInfo("Spoofing " + parentprocess.ProcessName + " PID: " + parentprocess.Id.ToString());
logger.TimestampInfo("Executing: " + simpfath + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpath, simbin + " " + cmdline);
//Launcher.SpoofParent(parentprocess.Id, simpfath, simrpath + " /s");
Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /n");
//Launcher.SpoofParent(parentprocess.Id, simpfath, simbinary + " /s");
System.Threading.Thread.Sleep(3000);
logger.TimestampInfo("Sending payload to Scout Aggent through namedpipe: " + "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
RunNoAuthClient(simulator_np, "technique:" + technique + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:" + cleanup);
System.Threading.Thread.Sleep(2000);
}
}
else if (line.ToLower().Equals("quit"))
{
logger.TimestampInfo("Received quit! Exitting namedpipe");
//logger.TimestampInfo("sending back to client: " + "quit");
writer.WriteLine("quit");
writer.Flush();
running = false;
}
pipeServer.Disconnect();
}
}
}
catch (Exception ex)
{
logger.TimestampInfo(ex.ToString());
logger.TimestampInfo(ex.Message.ToString());
}
}