private async void Launch_Clicked(object sender, RoutedEventArgs e)
{
RemoteSystem selectedSystem = SystemListComboBox.SelectedItem as RemoteSystem;
if (selectedSystem != null)
{
Uri uri;
if (Uri.TryCreate(UriTextBox.Text, UriKind.Absolute, out uri))
{
UpdateStatus("LaunchUriAsync called. Waiting for response...", NotifyType.StatusMessage);
// Launch URI on the remote system.
// Note: LaunchUriAsync needs to called from the UI thread.
RemoteLaunchUriStatus launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(selectedSystem), uri);
UpdateStatus("LaunchUriStatus = " + launchUriStatus.ToString(), launchUriStatus == RemoteLaunchUriStatus.Success ? NotifyType.StatusMessage : NotifyType.ErrorMessage);
}
else
{
UpdateStatus("Please enter a valid URI.", NotifyType.ErrorMessage);
}
}
else
{
UpdateStatus("Please select a system.", NotifyType.ErrorMessage);
}
}
private async void RemoteActivated(object sender, RoutedEventArgs e)
{
var fw = sender as FrameworkElement;
if (fw == null)
{
return;
}
var remote = fw.DataContext as RemoteSystem;
if (remote == null)
{
return;
}
var res = await RemoteSystem.RequestAccessAsync();
if (res != RemoteSystemAccessStatus.Allowed)
{
return;
}
bool isRemoteSystemLaunchUriCapable = await remote.GetCapabilitySupportedAsync(KnownRemoteSystemCapabilities.LaunchUri);
bool isRemoteSystemAppServiceCapable = await remote.GetCapabilitySupportedAsync(KnownRemoteSystemCapabilities.AppService);
bool isRemoteSystemRemoteSessionCapable = await remote.GetCapabilitySupportedAsync(KnownRemoteSystemCapabilities.RemoteSession);
bool isRemoteSystemSpatialEntityCapable = await remote.GetCapabilitySupportedAsync(KnownRemoteSystemCapabilities.SpatialEntity);
var rscr = new RemoteSystemConnectionRequest(remote);
var uri = new Uri("http://www.google.co.uk");
var status = await RemoteLauncher.LaunchUriAsync(rscr, uri);
}
public async Task <RomeRemoteLaunchUriStatus> LaunchUri(Uri uri, object remoteSystemOverride)
{
RemoteSystem rs = null;
if (remoteSystemOverride != null)
{
rs = remoteSystemOverride as RemoteSystem;
if (rs == null)
{
throw new InvalidCastException();
}
}
var request = new RemoteSystemConnectionRequest(rs);
var launchUriStatus = await RemoteLauncher.LaunchUriAsync(request, uri);
var result = launchUriStatus.ConvertToRomeRemoteLaunchUriStatus();
if (result == RomeRemoteLaunchUriStatus.ProtocolUnavailable)
{
await LaunchStoreForApp(rs);
}
return(result);
}
public async void OnContinueWatching()
{
if (SelectedSystem != null)
{
await RemoteLauncher.LaunchUriAsync(
new RemoteSystemConnectionRequest(SelectedSystem),
new Uri($"myvideoapp://?video={SelectedVideo.Name}&position={CurrentPosition.TotalSeconds}"));
}
}
private async void RemoteLaunchUriAsync(RemoteSystem remoteSystem, Uri uri)
{
var launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(remoteSystem), uri);
if (launchUriStatus != RemoteLaunchUriStatus.Success)
{
Console.WriteLine("Failed to Launch!");
}
}
public static async Task <RemoteLaunchUriStatus> ExecuteCommand(RemoteSystem remoteSystem, Command comm)
{
if (remoteSystem != null)
{
return(await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(remoteSystem), new Uri(comm.ToString())));
}
else
{
return(RemoteLaunchUriStatus.RemoteSystemUnavailable);
}
}
private async Task <RemoteLaunchUriStatus> LaunchAppOnDeviceAsync(RemoteSystem device, string args)
{
if (!IsSupported)
{
return(RemoteLaunchUriStatus.Unknown);
}
RemoteSystemConnectionRequest request = new RemoteSystemConnectionRequest(device);
return(await RemoteLauncher.LaunchUriAsync(request, new Uri("nep:" + args)));
}
internal static async void SelectOption(string text)
{
switch (currentState)
{
case AppState.selectingURL:
currentURL = text;
RemoteSystemAccessStatus accessStatus = await RemoteSystem.RequestAccessAsync();
if (accessStatus == RemoteSystemAccessStatus.Allowed)
{
var remoteSystemWatcher = RemoteSystem.CreateWatcher();
remoteSystemWatcher.RemoteSystemAdded += RemoteSystemWatcher_RemoteSystemAdded;
remoteSystemWatcher.RemoteSystemRemoved += RemoteSystemWatcher_RemoteSystemRemoved;
remoteSystemWatcher.RemoteSystemUpdated += RemoteSystemWatcher_RemoteSystemUpdated;
remoteSystemWatcher.Start();
(currentPage as SelectList).setMessage("Finding devices");
(currentPage as SelectList).setList(startingDevices);
currentState = AppState.selectingDevice;
}
else
{
(currentPage as SelectList).setMessage("Select a device");
(currentPage as SelectList).setList(startingDevices);
currentState = AppState.selectingDevice;
}
break;
case AppState.selectingDevice:
var downloadUrl = new Uri("https://arcadiogarcia.github.io/HTML5VideoDownloadUWP/?" + Uri.EscapeDataString(currentURL));
if (startingDevices.Contains(text))
{
//Asuming it never fails
await Windows.System.Launcher.LaunchUriAsync(downloadUrl);
Application.Current.Exit();
}
else
{
var launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(remoteSystems.Find(x => x.DisplayName == text)), downloadUrl);
if (launchUriStatus == RemoteLaunchUriStatus.Success)
{
Application.Current.Exit();
}
else
{
(currentPage as SelectList).setMessage(launchUriStatus.ToString());
}
}
break;
}
}
private async void button_Click(object sender, RoutedEventArgs e)
{
// <SnippetRemoteUriLaunch>
if (m_deviceList.Count > 0)
{
RemoteSystem SelectedDevice = m_deviceList[0];
RemoteLaunchUriStatus launchUriStatus =
await RemoteLauncher.LaunchUriAsync(
new RemoteSystemConnectionRequest(SelectedDevice),
new Uri("bingmaps:?cp=47.6204~-122.3491&sty=3d&rad=200&pit=75&hdg=165"));
}
// </SnippetRemoteUriLaunch>
}
public async void OnInvokeRemoteSystemByUriAsync(object sender, RoutedEventArgs e)
{
if (currentRemoteSystem == null)
{
return;
}
// 檢查設備是否支援需要的特性
//await currentRemoteSystem.GetCapabilitySupportedAsync(KnownRemoteSystemCapabilities.LaunchUri)
var launchRequest = new RemoteSystemConnectionRequest(currentRemoteSystem);
var result = await RemoteLauncher.LaunchUriAsync(launchRequest, new Uri("https://poumason.blogspot.com"));
Debug.WriteLine(result.ToString());
}
public async Task LaunchUriAsync()
{
using (await _launchUriAsyncLock.LockAsync())
{
LaunchRemoteUriResult = string.Empty;
var target = SelectedRemoteSystem;
if (target == null)
{
LaunchRemoteUriResult = "Il faut sélectionner une cible...";
return;
}
if (!string.IsNullOrEmpty(TargetLaunchHost))
{
// construct a HostName object
Windows.Networking.HostName deviceHost = new Windows.Networking.HostName(TargetLaunchHost);
// create a RemoteSystem object with the HostName
var remotesys = await RemoteSystem.FindByHostNameAsync(deviceHost);
if (remotesys != null)
{
LaunchRemoteUriResult = "Cible trouvée";
target = remotesys;
}
}
var targetRs = RemoteSystems
.FirstOrDefault(r => r.Status == RemoteSystemStatus.Available);
var request = new RemoteSystemConnectionRequest(targetRs);
var uri = new Uri(TargetLaunchUri);
var launchUriTask = RemoteLauncher.LaunchUriAsync(request, uri);
LaunchRemoteUriResult = "Appel en cours...";
var timeout = Task.Delay(13000);
await Task.WhenAny(timeout, launchUriTask.AsTask());
if (timeout.IsCompleted)
{
LaunchRemoteUriResult = "Timeout.... ";
}
else
{
var result = await launchUriTask;
LaunchRemoteUriResult = "Appel effectué : " + result;
}
}
}
private async void RemoteLaunchUriAsync(RemoteSystem remoteSystem, Uri uri)
{
this.LogMessage("Launching URI: " + uri + " on " + remoteSystem.DisplayName);
var launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(remoteSystem), uri);
if (launchUriStatus == RemoteLaunchUriStatus.Success)
{
this.LogMessage("Launch succeeded");
}
else
{
this.LogMessage("Launch failed due to [" + launchUriStatus.ToString() + "]");
}
}
public static async Task LaunchAndConnect(RemoteSystem remoteSystem)
{
//Launch app on remote device
var uri = new Uri("rome-dlc:");
var launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(remoteSystem), uri);
if (launchUriStatus == RemoteLaunchUriStatus.Success)
{
StatusWrite("App launched on: " + remoteSystem.DisplayName);
await SendMessageToRemoteSystemAsync(remoteSystem, "Hello");
}
else
{
StatusWrite("Error: " + launchUriStatus);
}
}
public async Task LaunchOnSystem(RemoteSystem system)
{
BrowserPageViewModel browserVM = SimpleIoc.Default.GetInstance <BrowserPageViewModel>();
string collectionJson = "{}";
if (browserVM.Images is IJsonizable)
{
collectionJson = (browserVM.Images as IJsonizable).toJson();
}
ValueSet values = new ValueSet();
values["images"] = collectionJson;
values["index"] = browserVM.FlipViewIndex;
RemoteLauncherOptions option = new RemoteLauncherOptions();
option.FallbackUri = new Uri("https://www.microsoft.com/store/p/monocle-giraffe/9nblggh4qcvh");
RemoteLaunchUriStatus launchUriStatus = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(system),
new Uri($"imgur:?images={collectionJson}&index={browserVM.FlipViewIndex}&type={browserVM.Images.GetType().Name}"));
}
public async void RemoteSystemItemClick(object sender, ItemClickEventArgs e)
{
try
{
LoadingPane.Visibility = Windows.UI.Xaml.Visibility.Visible;
var system = (RemoteSystem)e.ClickedItem;
if (SimpleIoc.Default.GetInstance <IPlaybackService>().GetCurrentTrack() != null)
{
var track = new BaseSoundByteItem(SimpleIoc.Default.GetInstance <IPlaybackService>().GetCurrentTrack());
var playlist = SimpleIoc.Default.GetInstance <IPlaybackService>().GetMediaPlaybackList().Items.Select(x => new BaseSoundByteItem(x.Source.AsBaseTrack()));
var token = SimpleIoc.Default.GetInstance <IPlaybackService>().GetPlaylistToken();
var source = SimpleIoc.Default.GetInstance <IPlaybackService>().GetPlaylistSource();
var status = await RemoteLauncher.LaunchUriAsync(new RemoteSystemConnectionRequest(system),
new Uri(ProtocolHelper.EncodeTrackProtocolItem(new ProtocolHelper.TrackProtocolItem(source, track, playlist, token, SimpleIoc.Default.GetInstance <IPlaybackService>().GetTrackDuration()), true)));
if (status == RemoteLaunchUriStatus.Success)
{
Hide();
LoadingPane.Visibility = Windows.UI.Xaml.Visibility.Collapsed;
}
else
{
Hide();
LoadingPane.Visibility = Windows.UI.Xaml.Visibility.Collapsed;
await NavigationService.Current.CallMessageDialogAsync("Failed with status: " + status, "Remote System Error");
}
}
else
{
Hide();
LoadingPane.Visibility = Windows.UI.Xaml.Visibility.Collapsed;
await NavigationService.Current.CallMessageDialogAsync("A track must be playing", "Remote System Error");
}
}
finally
{
LoadingPane.Visibility = Windows.UI.Xaml.Visibility.Collapsed;
}
}
/// <summary>
/// Start the slideshow on the remote system
/// </summary>
/// <param name="system"></param>
/// <param name="deepLink"></param>
/// <returns></returns>
public async Task <bool> ConnectToSystem(AdventureRemoteSystem system, string deepLink = "")
{
ValueSet message = new ValueSet();
message.Add("query", ConnectedServiceQuery.StartHostingSession.ToString());
var response = await system.SendMessage(message);
if (response != null && response.ContainsKey("success") && (bool)response["success"])
{
var status = (ConnectedServiceStatus)Enum.Parse(typeof(ConnectedServiceStatus), (String)response["status"]);
if (status != ConnectedServiceStatus.HostingNotConnected && status != ConnectedServiceStatus.HostingConnected)
{
var launchUriStatus =
await RemoteLauncher.LaunchUriAsync(
new RemoteSystemConnectionRequest(system.RemoteSystem),
new Uri("adventure:" + deepLink)).AsTask().ConfigureAwait(false);
if (launchUriStatus != RemoteLaunchUriStatus.Success)
{
return(false);
}
}
if (_remoteSystem != system)
{
if (_remoteSystem != null)
{
_remoteSystem.MessageReceived -= _remoteSystem_MessageReceived;
_remoteSystem = null;
}
_remoteSystem = system;
_remoteSystem.MessageReceived += _remoteSystem_MessageReceived;
}
return(true);
}
return(false);
}
private async void selectFromList(object sender, SelectionChangedEventArgs e)
{
RemoteSystem selection = ((sender as ListBox).SelectedItem as RemoteSystem);
if (selection != null)
{
/**
*
* Windows.Storage.StorageFolder storageFolder = Windows.Storage.ApplicationData.Current.LocalFolder;
* Windows.Storage.StorageFile sampleFile =
* await storageFolder.CreateFileAsync("helloworld.pdf",
* Windows.Storage.CreationCollisionOption.ReplaceExisting);
*
* sampleFile = await storageFolder.GetFileAsync("helloworld.pdf");
* await Windows.Storage.FileIO.WriteTextAsync(sampleFile, "Hello World");
* // var success = await Windows.System.Launcher.LaunchFileAsync(sampleFile);
* //after the device is selected, create a new session for particpants to join
* Debug.WriteLine(sampleFile.Path);
* var uri = new System.Uri(sampleFile.Path);
* var converted = uri.AbsoluteUri;
*
* Windows.System.LauncherOptions options = new Windows.System.LauncherOptions();
* options.ContentType = "application/pdf";
* Windows.System.Launcher.LaunchUriAsync(new Uri(sampleFile.Path), options);
**/
RemoteLaunchUriStatus launchURIstatus = await RemoteLauncher.LaunchUriAsync(
new RemoteSystemConnectionRequest(selection),
new Uri($"ms-chat:?Body={"Hello World"}"));
// Debug.WriteLine(uri.AbsoluteUri);
Debug.WriteLine("3");
//await CreateSession(selection);
//StartRecievingMessages();
//rmeote system connection request
//RemoteSystemConnectionRequest connRequest = new RemoteSystemConnectionRequest(selection);
}
}
public static async Task LaunchRemoteUriAsync(RemoteSystem remoteSystem, Uri uri)
{
if (remoteSystem != null)
{
var connection = new RemoteSystemConnectionRequest(remoteSystem);
Events.TrackEvent(Events.LaunchUriAsyncStart);
var result = await RemoteLauncher.LaunchUriAsync(connection, uri);
if (result == RemoteLaunchUriStatus.Success)
{
Events.TrackEvent(Events.LaunchUriAsyncSuccess);
}
switch (result)
{
case RemoteLaunchUriStatus.Success:
Events.TrackEvent(Events.LaunchUriAsyncSuccess);
break;
case RemoteLaunchUriStatus.DeniedByRemoteSystem:
Events.TrackEvent(Events.LaunchUriAsyncErrorDeniedByRemoteSystem);
break;
case RemoteLaunchUriStatus.ProtocolUnavailable:
Events.TrackEvent(Events.LaunchUriAsyncErrorProtocolUnavailable);
break;
case RemoteLaunchUriStatus.RemoteSystemUnavailable:
Events.TrackEvent(Events.LaunchUriAsyncErrorRemoteSystemUnavailable);
break;
default:
Events.TrackEvent(Events.LaunchUriAsyncErrorOther);
break;
}
}
}
public static async Task <RemoteLaunchUriStatus> TryBeginShareFile(RemoteSystem device, string fileName, string ipAddress)
{
RemoteSystemConnectionRequest connectionRequest = new RemoteSystemConnectionRequest(device);
return(await RemoteLauncher.LaunchUriAsync(connectionRequest, new Uri("share-app:?FileName=" + fileName + "&IpAddress=" + ipAddress)));
}
public static SimulationPlaybookResult ExecuteRemoteTechniquesJson(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string log, bool opsec, bool verbose)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
//Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
//Console.WriteLine("[+] Connecting to namedpipe service ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
//Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
//Console.WriteLine("[!] Exitting.");
return(null);
}
else
{
string user = duser.Split('\\')[1];
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
//Console.WriteLine("[+] Uploading Simulation agent to " + simfpath);
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
//Console.WriteLine("[+] Triggering simulation...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
System.Threading.Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
return(Json.GetPlaybookResult(results));
}
}
else
{
//Console.WriteLine("[!] Could not connect to namedpipe service");
return(null);
}
}
else
{
//Console.WriteLine("[+] Uploading PurpleSharp to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
string cmdline = "/t " + techniques;
//Console.WriteLine("[+] Executing PurpleSharp via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, cmdline, domain, ruser, rpwd);
Thread.Sleep(3000);
Console.WriteLine("[+] Obtaining results...");
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
//Console.WriteLine("[+] Cleaning up...");
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
//
//Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
return(Json.GetPlaybookResult(results));
}
}
public static void ExecuteRemoteTechniques(string rhost, string domain, string ruser, string rpwd, string techniques, int pbsleep, int tsleep, string scoutfpath, string scout_np, string simrpath, string simulator_np, string log, bool opsec, bool verbose, bool cleanup)
{
// techniques that need to be executed from a high integrity process
string[] privileged_techniques = new string[] { "T1003.001", "T1136.001", "T1070.001", "T1543.003", "T1546.003" };
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
System.Threading.Thread.Sleep(3000);
if (opsec)
{
string result = "";
string args = "/o";
Console.WriteLine("[+] Uploading and executing the Scout on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
if (privileged_techniques.Contains(techniques.ToUpper()))
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:privileged");
}
else
{
result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "recon:regular");
}
string[] payload = result.Split(',');
string duser = payload[0];
if (duser == "")
{
Console.WriteLine("[!] Could not identify a suitable process for the simulation. Is a user logged in on: " + rhost + "?");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
Thread.Sleep(1000);
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[!] Exitting.");
return;
}
else
{
string user = duser.Split('\\')[1];
//Console.WriteLine("[+] Sending simulator binary...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "simrpath:" + simrpath);
//Console.WriteLine("[+] Sending technique ...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "technique:" + techniques);
//Console.WriteLine("[+] Sending opsec techqniue...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "opsec:" + "ppid");
//Console.WriteLine("[+] Sending sleep...");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pbsleep:" + pbsleep.ToString());
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "tsleep:" + tsleep.ToString());
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cleanup:False");
}
Console.WriteLine("[!] Recon -> " + String.Format("Identified logged user: {0}", duser));
string simfpath = "C:\\Users\\" + user + "\\" + simrpath;
int index2 = simrpath.LastIndexOf(@"\");
string simrfolder = simrpath.Substring(0, index2 + 1);
string simfolder = "C:\\Users\\" + user + "\\" + simrfolder;
Console.WriteLine("[+] Uploading Simulation agent to " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Triggering simulation using PPID Spoofing | Process: {0}.exe | PID: {1} | High Integrity: {2}", payload[1], payload[2], payload[3]);
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "act");
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
//Console.WriteLine("[+] Obtaining the Simulation Agent output...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + simfpath.Replace(":", "$"));
RemoteLauncher.delete(simfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (simfolder + log).Replace(":", "$"));
RemoteLauncher.delete(simfolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, simfolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
else
{
Console.WriteLine("[!] Could not connect to namedpipe service");
Console.WriteLine("[!] Exitting.");
return;
}
}
else
{
Console.WriteLine("[+] Uploading and executing the Simulation agent on {0} ", @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
RemoteLauncher.wmiexec(rhost, scoutfpath, "/s", domain, ruser, rpwd);
Thread.Sleep(2000);
if (cleanup)
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:True");
}
else
{
NamedPipes.RunClient(rhost, domain, ruser, rpwd, simulator_np, "technique:" + techniques + " pbsleep:" + pbsleep.ToString() + " tsleep:" + tsleep.ToString() + " cleanup:False");
}
Thread.Sleep(5000);
bool finished = false;
int counter = 1;
string results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
while (finished == false)
{
if (results.Split('\n').Last().Contains("Playbook Finished"))
{
Console.WriteLine("[+] Obtaining results...");
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
finished = true;
}
else
{
Console.WriteLine("[+] Not finished. Waiting an extra {0} seconds", counter * 10);
Thread.Sleep(counter * 10 * 1000);
results = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
}
counter += 1;
}
}
}
public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose)
{
List <String> actions = new List <string>()
{
"all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline"
};
if (!actions.Contains(scout_action))
{
Console.WriteLine("[*] Not supported.");
Console.WriteLine("[*] Exiting");
return;
}
if (rpwd == "")
{
Console.Write("Password for {0}\\{1}: ", domain, ruser);
rpwd = Utils.GetPassword();
Console.WriteLine();
}
string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location;
int index = scoutfpath.LastIndexOf(@"\");
string scoutFolder = scoutfpath.Substring(0, index + 1);
string args = "/o";
Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost);
RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Executing the Scout via WMI ...");
RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd);
Console.WriteLine("[+] Connecting to the Scout ...");
string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN");
if (result.Equals("SYN/ACK"))
{
Console.WriteLine("[+] OK");
string results;
if (scout_action.Equals("all"))
{
string temp;
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef");
results = Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol");
results += Encoding.UTF8.GetString(Convert.FromBase64String(temp));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
else
{
results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action);
results = Encoding.UTF8.GetString(Convert.FromBase64String(results));
NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit");
}
if (verbose)
{
Console.WriteLine("[+] Grabbing the Scout output...");
System.Threading.Thread.Sleep(1000);
string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain);
Console.WriteLine("[+] Results:");
Console.WriteLine();
Console.WriteLine(sresults);
}
Console.WriteLine("[+] Scout Results...");
Console.WriteLine();
Console.WriteLine(results);
Console.WriteLine();
Console.WriteLine("[+] Cleaning up...");
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$"));
RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain);
Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$"));
RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain);
}
}
public static async Task <RemoteLaunchUriStatus> TrySharetext(RemoteSystem device, string text)
{
RemoteSystemConnectionRequest connectionRequest = new RemoteSystemConnectionRequest(device);
return(await RemoteLauncher.LaunchUriAsync(connectionRequest, new Uri("share-app:?Text=" + Uri.EscapeDataString(text))));
}
public static async Task <RemoteLaunchUriStatus> TryOpenStoreToApp(RemoteSystem device, String appTarget)
{
RemoteSystemConnectionRequest connectionRequest = new RemoteSystemConnectionRequest(device);
return(await RemoteLauncher.LaunchUriAsync(connectionRequest, new Uri(appTarget)));
}
public static async Task <RemoteLaunchUriStatus> TryShareURL(RemoteSystem device, string url)
{
RemoteSystemConnectionRequest connectionRequest = new RemoteSystemConnectionRequest(device);
return(await RemoteLauncher.LaunchUriAsync(connectionRequest, new Uri(url)));
}
