public static void Scout(string rhost, string domain, string ruser, string rpwd, string scoutfpath, string log, string scout_action, string scout_np, bool verbose) { List <String> actions = new List <string>() { "all", "wef", "pws", "ps", "svcs", "auditpol", "cmdline" }; if (!actions.Contains(scout_action)) { Console.WriteLine("[*] Not supported."); Console.WriteLine("[*] Exiting"); return; } if (rpwd == "") { Console.Write("Password for {0}\\{1}: ", domain, ruser); rpwd = Utils.GetPassword(); Console.WriteLine(); } string uploadPath = System.Reflection.Assembly.GetEntryAssembly().Location; int index = scoutfpath.LastIndexOf(@"\"); string scoutFolder = scoutfpath.Substring(0, index + 1); string args = "/o"; Console.WriteLine("[+] Uploading Scout to {0} on {1}", scoutfpath, rhost); RemoteLauncher.upload(uploadPath, scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Executing the Scout via WMI ..."); RemoteLauncher.wmiexec(rhost, scoutfpath, args, domain, ruser, rpwd); Console.WriteLine("[+] Connecting to the Scout ..."); string result = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "SYN"); if (result.Equals("SYN/ACK")) { Console.WriteLine("[+] OK"); string results; if (scout_action.Equals("all")) { string temp; temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "wef"); results = Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "pws"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "cmdline"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "ps"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "svcs"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); temp = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "auditpol"); results += Encoding.UTF8.GetString(Convert.FromBase64String(temp)); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); } else { results = NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, scout_action); results = Encoding.UTF8.GetString(Convert.FromBase64String(results)); NamedPipes.RunClient(rhost, domain, ruser, rpwd, scout_np, "quit"); } if (verbose) { Console.WriteLine("[+] Grabbing the Scout output..."); System.Threading.Thread.Sleep(1000); string sresults = RemoteLauncher.readFile(rhost, scoutFolder + log, ruser, rpwd, domain); Console.WriteLine("[+] Results:"); Console.WriteLine(); Console.WriteLine(sresults); } Console.WriteLine("[+] Scout Results..."); Console.WriteLine(); Console.WriteLine(results); Console.WriteLine(); Console.WriteLine("[+] Cleaning up..."); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + scoutfpath.Replace(":", "$")); RemoteLauncher.delete(scoutfpath, rhost, ruser, rpwd, domain); Console.WriteLine("[+] Deleting " + @"\\" + rhost + @"\" + (scoutFolder + log).Replace(":", "$")); RemoteLauncher.delete(scoutFolder + log, rhost, ruser, rpwd, domain); } }